Question about VLAN Egress Priority at Switches (G3G and C5K, stativc vers. assign by auth))

  • 0
  • 1
  • Question
  • Updated 3 months ago
  • Doesn't Need an Answer
Hello,
I have the following problem:
I have a managed 4 Port-Noname-Switch attached at a switch G3G124-24 at port ge.1.4. The managed 4-Port-Switch is manageable and has its own IP-Address and should be reachable via VLAN ID 400 but tagged.
The G3G124-24 will authenticate the MAC address of the 4-Port-Switch. This authentication will set the egress status of the G3G124-24 switchport ge.1.4 to "vlan egress untagged" for vlan 400. That's normaly OK if it would be a workstation but not for my 4-Port-Switch. The 4-Port switch need to work tagged for vlan 400.
So I set static VLAN egress 400 on port ge.1.4 and everything is fine.
The static enty overwrite the egress state of the authentication process.

Now I had to change the G3G124 to a C5K125-48 and the result is:
The mac auth process will overwrite the static port egress value and my 4-port-Switch is not reachable anymore.
Is this normal?
In the past I thought, that egress static has the highest priority but at the C5 it doesn't looks like so.
Any ideas/sugestions are welcome.
Regards,
Axel
 
Photo of ar

ar

  • 558 Points 500 badge 2x thumb

Posted 3 months ago

  • 0
  • 1
Photo of Karthik Mohandoss

Karthik Mohandoss, Employee

  • 5,998 Points 5k badge 2x thumb
Hi ar,

I believe this command should help.

"set vlanauthorization disable <port#>"

Once this command is set for that port the VLAN attributes from the Radius server will be ignored.
So that the static configuration remains, please check and let us know if this helped. 
Photo of ar

ar

  • 558 Points 500 badge 2x thumb
Hello,

and thanks for your idea.

I have tried this but "set vlanauthorization disable <port#>" doesn't work in this case.
I understand this command so that it will disable all vlan authorization at this port.
So all - at the 4-Port-switch connected End-User-Workstations - will not authenticated, too (I didn't check this) and it will only works if authentication is done with RFC3580 (RADIUS Attribute) but our authentication use the "Filter-ID".

I will try to build a new End-System-Group where I put the 4-Port-switch management MAC address and create a new Policy/NAC-Rule that will only set the egress state to tagged if this MAC address will appear.

I will update this entry here if it will work or not.

best regards,
Axel
Photo of ar

ar

  • 558 Points 500 badge 2x thumb
Hi all,
my work around (build a new End-System-Group and create a new Policy/NAC-Rule) works.
There is only one situation that fail:
If a device that is authenticated and go into the same vlan (400) where the management port of the 4-port switch is, the switch will not be available because the egress state of the C5K-Switch is changed from tagged to untagged.
If this device is removed, the C5K-Switch port changed back to tagged and the 4-Port switch is availabe again.
For me this is an acceptable situation because it should not appear in or organisation.
Regards,
Axel
(Question not answered but work around is acceptable)
(Edited)