cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1115
Views
4
Helpful
14
Replies

VLAN Tagging Issue

JoshfromPHX
Level 1
Level 1

When I come from the VPN to the Management network I get the correct VLAN tag but when the traffic comes back I get the wrong VLAN tag. Do you know why this would be happening?

172.x.x.x Network = VPN

10.x.x.x Network = Management

JoshfromPHX_0-1680286503205.png

On the L3 switch I am trying to SSH into I have interface vlan 124 set up with the IP of the device. 

I also set the default gateway on the switch to the management network interface vlan 124. 

 

When I take a capture it looks as if the switch tags the return packets to VLAN 1 and the traffic is then dropped. 

The native VLAN is not VLAN 1. 

When I am in the office I can access the management network with no issues. 

Trying to think of more info that would be helpful to note down but that is all I can think of. Any info on this would be helpful. 

 

 

1 Accepted Solution

Accepted Solutions

OK, the SW must use GW for return back, 
it will use the last resort, and tag it with VLAN 1
so either change the GW to be management or config static route in L3SW for VPN Pool of anyconnect toward the subinterface IP of ASA of mgmt VLAN 

View solution in original post

14 Replies 14

Hello,

  It is weird. 

 Can you share the configuration here?  Something I can come up with is that maybe you are facing assymetric routing and the packet is crossing some device it should not cross. Some device that is not doing trunk and is delivering the frame wrongly to your switch.

Which config are you looking for?

The config from the device you saw the logs, must be the switch right? 

If you can do a diagram of the network, also helps

It is L2VPN ? What is VPN you use 

This is the Cisco AnyConnect VPN. 
Remote worker (On Cisco Any Connect) ---> Firewall ----> L3 (This is were I am trying to get to) 

Does that answer your question? 

JoshfromPHX
Level 1
Level 1

When I am on the switch I can ping the default gateway of the management network however when I look at the routing table the packet is routed using the gateway of last resort ... would this make the packet get tagged with vlan 1 ? 

are you meaning that the SW is L2 ?
if Yes then there is chance that the return use different VLAN tag 
solution is 
make the management VLAN ip in FW is the default GW of SW.

make the management VLAN ip in FW is the default GW of SW.

I am not sure I am tracking what you are saying here.... 

JoshfromPHX
Level 1
Level 1

The switch is a L3 switch but in this case the management network subnets gateway is on the firewall.... 

 gateway of last resort <<- the GW of last sort is in which VLAN ?

interface vlan 1 -  when I look at the show run | s I interface vlan 1 the GW of last resort falls into the IP subnet 

but does interface vlan ## means that it will tag with that number as well? When I ran the interface vlan ## that is that turning into a layer 3 interface...? 

OK, the SW must use GW for return back, 
it will use the last resort, and tag it with VLAN 1
so either change the GW to be management or config static route in L3SW for VPN Pool of anyconnect toward the subinterface IP of ASA of mgmt VLAN 

So creating the static route worked however I am not sure if I like that. Because now everyone in the VPN pool will us the management gateway for the route back to the VPN. The whole point of making the management subnet was to keep everyone off that network. Is there a way to set this up without having everyone go over the management network when on the VPN? 

Yes 
there is VPN-filter you can apply to anyconnect group-policy/tunnel-group and this will allow specific VPN access mgmt of SW
Configure VPN Filters on Cisco ASA - Cisco

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card