Solved: VLAN Tagging Issue

JoshfromPHX · ‎03-31-2023

When I come from the VPN to the Management network I get the correct VLAN tag but when the traffic comes back I get the wrong VLAN tag. Do you know why this would be happening?

172.x.x.x Network = VPN

10.x.x.x Network = Management

On the L3 switch I am trying to SSH into I have interface vlan 124 set up with the IP of the device.

I also set the default gateway on the switch to the management network interface vlan 124.

When I take a capture it looks as if the switch tags the return packets to VLAN 1 and the traffic is then dropped.

The native VLAN is not VLAN 1.

When I am in the office I can access the management network with no issues.

Trying to think of more info that would be helpful to note down but that is all I can think of. Any info on this would be helpful.

MHM Cisco World · ‎03-31-2023

OK, the SW must use GW for return back,
it will use the last resort, and tag it with VLAN 1
so either change the GW to be management or config static route in L3SW for VPN Pool of anyconnect toward the subinterface IP of ASA of mgmt VLAN

View solution in original post

Flavio Miranda · ‎03-31-2023

Hello,

It is weird.

Can you share the configuration here? Something I can come up with is that maybe you are facing assymetric routing and the packet is crossing some device it should not cross. Some device that is not doing trunk and is delivering the frame wrongly to your switch.

JoshfromPHX · ‎03-31-2023

Which config are you looking for?

Flavio Miranda · ‎03-31-2023

The config from the device you saw the logs, must be the switch right?

If you can do a diagram of the network, also helps

MHM Cisco World · ‎03-31-2023

It is L2VPN ? What is VPN you use

JoshfromPHX · ‎03-31-2023

This is the Cisco AnyConnect VPN.
Remote worker (On Cisco Any Connect) ---> Firewall ----> L3 (This is were I am trying to get to)

Does that answer your question?

JoshfromPHX · ‎03-31-2023

When I am on the switch I can ping the default gateway of the management network however when I look at the routing table the packet is routed using the gateway of last resort ... would this make the packet get tagged with vlan 1 ?

MHM Cisco World · ‎03-31-2023

are you meaning that the SW is L2 ?
if Yes then there is chance that the return use different VLAN tag
solution is
make the management VLAN ip in FW is the default GW of SW.

JoshfromPHX · ‎03-31-2023

make the management VLAN ip in FW is the default GW of SW.

I am not sure I am tracking what you are saying here....

JoshfromPHX · ‎03-31-2023

The switch is a L3 switch but in this case the management network subnets gateway is on the firewall....

MHM Cisco World · ‎03-31-2023

gateway of last resort <<- the GW of last sort is in which VLAN ?

JoshfromPHX · ‎03-31-2023

interface vlan 1 - when I look at the show run | s I interface vlan 1 the GW of last resort falls into the IP subnet

but does interface vlan ## means that it will tag with that number as well? When I ran the interface vlan ## that is that turning into a layer 3 interface...?

MHM Cisco World · ‎03-31-2023

OK, the SW must use GW for return back,
it will use the last resort, and tag it with VLAN 1
so either change the GW to be management or config static route in L3SW for VPN Pool of anyconnect toward the subinterface IP of ASA of mgmt VLAN

JoshfromPHX · ‎03-31-2023

So creating the static route worked however I am not sure if I like that. Because now everyone in the VPN pool will us the management gateway for the route back to the VPN. The whole point of making the management subnet was to keep everyone off that network. Is there a way to set this up without having everyone go over the management network when on the VPN?

MHM Cisco World · ‎03-31-2023

Yes
there is VPN-filter you can apply to anyconnect group-policy/tunnel-group and this will allow specific VPN access mgmt of SW
Configure VPN Filters on Cisco ASA - Cisco