This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Question about VLAN Egress Priority at Switches (G3G and C5K, stativc vers. assign by auth))

Question about VLAN Egress Priority at Switches (G3G and C5K, stativc vers. assign by auth))

ar1
Contributor

‎06-20-2018 11:46 AM

Hello,
I have the following problem:
I have a managed 4 Port-Noname-Switch attached at a switch G3G124-24 at port ge.1.4. The managed 4-Port-Switch is manageable and has its own IP-Address and should be reachable via VLAN ID 400 but tagged.
The G3G124-24 will authenticate the MAC address of the 4-Port-Switch. This authentication will set the egress status of the G3G124-24 switchport ge.1.4 to "vlan egress untagged" for vlan 400. That's normaly OK if it would be a workstation but not for my 4-Port-Switch. The 4-Port switch need to work tagged for vlan 400.
So I set static VLAN egress 400 on port ge.1.4 and everything is fine.
The static enty overwrite the egress state of the authentication process.

Now I had to change the G3G124 to a C5K125-48 and the result is:
The mac auth process will overwrite the static port egress value and my 4-port-Switch is not reachable anymore.
Is this normal?
In the past I thought, that egress static has the highest priority but at the C5 it doesn't looks like so.
Any ideas/sugestions are welcome.
Regards,
Axel

0 Kudos
3 REPLIES 3

ar1
Contributor

‎06-26-2018 12:39 PM

Hi all,
my work around (build a new End-System-Group and create a new Policy/NAC-Rule) works.
There is only one situation that fail:
If a device that is authenticated and go into the same vlan (400) where the management port of the 4-port switch is, the switch will not be available because the egress state of the C5K-Switch is changed from tagged to untagged.
If this device is removed, the C5K-Switch port changed back to tagged and the 4-Port switch is availabe again.
For me this is an acceptable situation because it should not appear in or organisation.
Regards,
Axel
(Question not answered but work around is acceptable)
0 Kudos

ar1
Contributor

‎06-25-2018 02:57 AM

Hello,

and thanks for your idea.

I have tried this but "set vlanauthorization disable " doesn't work in this case.
I understand this command so that it will disable all vlan authorization at this port.
So all - at the 4-Port-switch connected End-User-Workstations - will not authenticated, too (I didn't check this) and it will only works if authentication is done with RFC3580 (RADIUS Attribute) but our authentication use the "Filter-ID".

I will try to build a new End-System-Group where I put the 4-Port-switch management MAC address and create a new Policy/NAC-Rule that will only set the egress state to tagged if this MAC address will appear.

I will update this entry here if it will work or not.

best regards,
Axel
0 Kudos

Karthik_Mohando
Extreme Employee

‎06-22-2018 03:32 AM

Hi ar,

I believe this command should help.

"set vlanauthorization disable "

Once this command is set for that port the VLAN attributes from the Radius server will be ignored.
So that the static configuration remains, please check and let us know if this helped.
0 Kudos
GTM-P2G8KFN