Guest

Preview Tool

Cisco Bug: CSCvs35681 - SG350: DHCP Relay: Unauthenticated users on guest VLAN fail to communicate in network

Last Modified

Jan 15, 2020

Products (1)

  • Cisco Small Business 500 Series Stackable Managed Switches

Known Affected Releases

2.5.0.90

Description (partial)

Symptom:
When a switch is configured as DHCP relay, and 802.1x is enable with support of Guest VLAN, unauthenticated users which as expected to join guess VLAN are not able to ping the gateway, which lead them not to be able to connect to the internet. 

This issue happens only if DHCP relay is being used to provide IP addresses to DHCP clients. In a setup where DHCP relay is not used, guess VLANs are able to ping the gateway and access the internet with no problems. 

FW: 2.5.0.83
No workaround

Conditions:
Steps to reproduce:

Network Setup:
Router R (Port21 VLAN 10U) >> (Port2 VLAN10U ) SG350 SW (Port3 VLAN10U) >> DHCP Server 

Switch Setup:
(a). 2 VLANs minimum: VLAN 10: IP 192.168.10.2/24, Guest VLAN 30: IP 192.168.30.2 /24
(b). Port 4, VLAN 30U
(c). Enable DHCP relay globally and add the DHCP Server IP address: 192.168.10.3
(d). Enable DHCP Relay on VLAN 30
(e). Enable 802.x and select VLAN 30 a the guest VLAN
(f). Edit port 5 and enable 802.1x and guest VLAN options

Router Setup
(a). Create a static route to the guest VLAN
(b). Create a NAT policy for VLAN 30 so that traffic is routed out to the internet

DHCP Server
Configure your DHCP server so that it serves IP addresses to dhcp clients are it should

Test
(a). Connect a test PC on port4 of the switch and note that it is able to get an IP address from the DHCP server and that it is also able to access the internet
(b). Now disconnect the PC from port 4 and connect it to port 5 and let the authentication to fail
(c). Verify that the PC has received the necessary IP settings from the DHCP server
(d). Now ping the gateway, with is the IP address of the guest VLAN
(e). Notice that you cannot ping the gateway, nor accessing the internet.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.