https://community.extremenetworks.com/t5/network-architecture-design/question-about-vlan-egress-priority-at-switches-g3g-and-c5k/m-p/14173#M1577 Hello,<BR /> I have the following problem:<BR /> I have a managed 4 Port-Noname-Switch attached at a switch G3G124-24 at port ge.1.4. The managed 4-Port-Switch is manageable and has its own IP-Address and should be reachable via VLAN ID 400 but tagged.<BR /> The G3G124-24 will authenticate the MAC address of the 4-Port-Switch. This authentication will set the egress status of the G3G124-24 switchport ge.1.4 to "vlan egress untagged" for vlan 400. That's normaly OK if it would be a workstation but not for my 4-Port-Switch. The 4-Port switch need to work tagged for vlan 400.<BR /> So I set static VLAN egress 400 on port ge.1.4 and everything is fine.<BR /> The static enty overwrite the egress state of the authentication process.<BR /> <BR /> Now I had to change the G3G124 to a C5K125-48 and the result is:<BR /> The mac auth process will overwrite the static port egress value and my 4-port-Switch is not reachable anymore.<BR /> Is this normal?<BR /> In the past I thought, that egress static has the highest priority but at the C5 it doesn't looks like so.<BR /> Any ideas/sugestions are welcome.<BR /> Regards,<BR /> Axel <BR /> <BR /> Wed, 20 Jun 2018 18:46:00 GMT ar1 2018-06-20T18:46:00Z https://community.extremenetworks.com/t5/network-architecture-design/question-about-vlan-egress-priority-at-switches-g3g-and-c5k/m-p/14173#M1577 Hello,<BR /> I have the following problem:<BR /> I have a managed 4 Port-Noname-Switch attached at a switch G3G124-24 at port ge.1.4. The managed 4-Port-Switch is manageable and has its own IP-Address and should be reachable via VLAN ID 400 but tagged.<BR /> The G3G124-24 will authenticate the MAC address of the 4-Port-Switch. This authentication will set the egress status of the G3G124-24 switchport ge.1.4 to "vlan egress untagged" for vlan 400. That's normaly OK if it would be a workstation but not for my 4-Port-Switch. The 4-Port switch need to work tagged for vlan 400.<BR /> So I set static VLAN egress 400 on port ge.1.4 and everything is fine.<BR /> The static enty overwrite the egress state of the authentication process.<BR /> <BR /> Now I had to change the G3G124 to a C5K125-48 and the result is:<BR /> The mac auth process will overwrite the static port egress value and my 4-port-Switch is not reachable anymore.<BR /> Is this normal?<BR /> In the past I thought, that egress static has the highest priority but at the C5 it doesn't looks like so.<BR /> Any ideas/sugestions are welcome.<BR /> Regards,<BR /> Axel <BR /> <BR /> Wed, 20 Jun 2018 18:46:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/question-about-vlan-egress-priority-at-switches-g3g-and-c5k/m-p/14173#M1577 ar1 2018-06-20T18:46:00Z https://community.extremenetworks.com/t5/network-architecture-design/question-about-vlan-egress-priority-at-switches-g3g-and-c5k/m-p/14174#M1578 Hi ar,<BR /> <BR /> I believe this command should help.<BR /> <BR /> "set vlanauthorization disable "<BR /> <BR /> Once this command is set for that port the VLAN attributes from the Radius server will be ignored.<BR /> So that the static configuration remains, please check and let us know if this helped. Fri, 22 Jun 2018 10:32:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/question-about-vlan-egress-priority-at-switches-g3g-and-c5k/m-p/14174#M1578 Karthik_Mohando 2018-06-22T10:32:00Z https://community.extremenetworks.com/t5/network-architecture-design/question-about-vlan-egress-priority-at-switches-g3g-and-c5k/m-p/14175#M1579 Hello,<BR /> <BR /> and thanks for your idea.<BR /> <BR /> I have tried this but "set vlanauthorization disable " doesn't work in this case.<BR /> I understand this command so that it will disable all vlan authorization at this port.<BR /> So all - at the 4-Port-switch connected End-User-Workstations - will not authenticated, too (I didn't check this) and it will only works if authentication is done with RFC3580 (RADIUS Attribute) but our authentication use the "Filter-ID".<BR /> <BR /> I will try to build a new End-System-Group where I put the 4-Port-switch management MAC address and create a new Policy/NAC-Rule that will only set the egress state to tagged if this MAC address will appear.<BR /> <BR /> I will update this entry here if it will work or not.<BR /> <BR /> best regards,<BR /> Axel<BR /> Mon, 25 Jun 2018 09:57:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/question-about-vlan-egress-priority-at-switches-g3g-and-c5k/m-p/14175#M1579 ar1 2018-06-25T09:57:00Z https://community.extremenetworks.com/t5/network-architecture-design/question-about-vlan-egress-priority-at-switches-g3g-and-c5k/m-p/14176#M1580 Hi all,<BR /> my work around (build a new End-System-Group and create a new Policy/NAC-Rule) works.<BR /> There is only one situation that fail:<BR /> If a device that is authenticated and go into the same vlan (400) where the management port of the 4-port switch is, the switch will not be available because the egress state of the C5K-Switch is changed from tagged to untagged.<BR /> If this device is removed, the C5K-Switch port changed back to tagged and the 4-Port switch is availabe again.<BR /> For me this is an acceptable situation because it should not appear in or organisation.<BR /> Regards,<BR /> Axel<BR /> (Question not answered but work around is acceptable) Tue, 26 Jun 2018 19:39:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/question-about-vlan-egress-priority-at-switches-g3g-and-c5k/m-p/14176#M1580 ar1 2018-06-26T19:39:00Z