Default Role on port prevents communication with access switch IP

Tomasz — Thu, 22 Nov 2018 23:54:00 GMT

Hello there,

I am currently playing a little bit with Policy & NAC for EXOS through XMC.
I have created a user role called XYZ with Contain to VLAN as a default action, no rules within. Did that also with default deny + rule to allow ICMP.
The case is, when a port default role is set via Policy manager section in XMC (what I confirm when doing show config policy in EXOS), connected client device cannot ping the VLAN IP address on that switch.

Configuration:
Switch_A is 172.16.11.103/24 on VLAN 11. VLAN 11 is not set to port manually but enforced via static policy role (and it works). Access port in VLAN 11 as untagged. It also contains uplink port as tagged.
Core_A is 172.16.11.1/24 on VLAN 11, downlink to access switch included as tagged and ipforwarding for different purposes.

When a client connected to role-applied port it can ping to Core_A, but cannot ping to Switch_A (timeout).
EXOS version 22.4.1.4.

Any assistance here would be much appreciated, thanks!

Kind regards,
Tomasz

RE: Default Role on port prevents communication with access switch IP

Tomasz — Wed, 05 Dec 2018 16:28:00 GMT

FYI, upgrade to 22.5.1.7patch1-2 solved the issue.

topic RE: Default Role on port prevents communication with access switch IP in ExtremeCloud IQ- Site Engine Management Center

Default Role on port prevents communication with access switch IP

RE: Default Role on port prevents communication with access switch IP