Cannot Access devices in VLan other than default Vlan - through VPN

Solved
LontzroV
Here to help

Cannot Access devices in VLan other than default Vlan - through VPN

Hello everyone, this is my first inquiry here. I am having trouble setting up a management VLan on one of our sites. We have Meraki appliances on all our sites (Site A = MX100, Site B = MX80) connected via vpn in hub-mode. The appliance on site A is in single Lan mode (flat network on that site, no static routes into any subnets), and Site B is in Vlan mode. The switch interfaces are currently still in Vlan 1. I have created a management Vlan on Site B (Vlan 5) on the appliance and on the Switches - the switches also have ip interfaces on that vlan). Vlan 5 is also enabled on the VPN. Locally on site B I can access those switch interfaces in Vlan 5. However, I cannot access them remotely from site A. 

 

From Site A (MX100 single Lan)

- I can ping the Vlan 5 interface on the Site B appliance

- I cannot ping or access the switch interfaces in Vlan 5

 

From Site B (MX80 vlan mode)

- I can access the switch interfaces in Vlan 5

- I can ping the vlan 5 interface on the appliance

- I can even ping my computer at Site A from which I intend to manage the Switches. So it works that way, but not from My computer to the switches at the remote site.

 

We have few and basic firewall rules at both sites. The traffic should not be blocked. Just in case I added "allow any" rules on both sites but no success - but then, I also know that firewall rules don't apply to vpn.

 

There are no blocking rules of any kind in the site to site vpn settings.

 

What am i missing? Any pointers are apreciated!

1 Accepted Solution

Thanks Bruce! What you're saying makes sense. I will try moving the default gateway to Vlan 5 later this week. What puzzles me though is that clients in Vlan 1 are able to ping/access the switch interfaces on Vlan 5. This must be through the MX since no other device on site has routing enabled currently. So I'm having a hard time wrapping my mind around how the MX is routing traffic between Vlans 1 and 5, as well as Vlan 1 and the VPN, but apparently not between vlan 5 and the VPN, even though Vlan 5 is included. This is why I posted here, thinking it must be an issue on the MX.

 

Just clarifying: Vlan 5 is intended for management but is not yet set to 'management', so it currently behaves like any other Vlan. I'm waiting until I can successfully access the switches on Vlan 5 before I restrict management traffic to that Vlan.

View solution in original post

6 Replies 6
Bruce
Kind of a big deal

The MX configuration seems about right from what I can tell, so...

What switches are you using? (Are they Meraki or another vendor).

Have you configured the default gateway for the management interface on the switches?

Hey Bruce. We use HP Aruba switches. The default gateway on the switches is pointing to the vlan 1 interface on the MX. Vlan 1 is included in the vpn. 

Bruce
Kind of a big deal

How is your VLAN 5 configured? What are you trying to ping in VLAN 5? The experiences you were having seemed consistent with the host you were trying to ping not having a default gateway properly configured.

Until now we have managed our switches from the default vlan (1). I have now created vlan 5 on 2 switches (the first is connected directly the the MX and the second links into the first switch). Both switches have SVIs in Vlan 1 (used until now) and in Vlan 5. On the MX both Vlans are vpn-enabled and tagged to the corresponding MX port. On the first switch both Vlans are tagged to the port that connects to the MX (trunk protocoll), and to the uplink to the second switch. Both switches have the Vlan 1 interface of the MX as default gateway

 

MX:

Vlan 1 10.4.0.1

Vlan 5 10.5.0.100

 

First Switch:

Vlan 1 10.4.0.2

Vlan 5 10.5.0.1

Gateway 10.4.0.1

 

Second Switch:

Vlan 1 10.4.0.8

Vlan 5 10.5.0.2

Gateway 10.4.0.1

 

Over the vpn:

I can access both switches on their Vlan 1 interface/ip

I cannot access either switch on their Vlan 5 interface/ip

 

From a local computer:

I can access both switches on both Vlan interfaces/ip

Bruce
Kind of a big deal

@LontzroV you’ll need to check how to create a management VLAN for your switches. The issue is that the VLAN 5 interface on the switches doesn’t have a default gateway/route. Anything which has an interface on VLAN 5, so the MX, the switches themselves, or a host on that VLAN will be able to ping the switches. However, anything remote to VLAN 5 won’t get a response since when the switch tries to respond the VLAN 5 interface has no idea of where to send the response if it’s not in VLAN 5, and it can’t send it to the Default Gateway as that’s in VLAN 1.

 

There will either be a specific way to create a management interface on the switches, which will likely mean there is a limit of one interface (so you’ll need to remove the VLAN 1 interface so you can change the default gateway). Or, as in the Cisco Catalyst world, you will need to create  a management VRF so you can have a separate routing table for VLAN 5 - this is addresses the fundamental problem you have of needing to routing tables (one for each VLAN).

 

If all the routing is being performed on the MX then you only need one interface on the switches for management, and if VLAN 5 is to be your management network then it should just be VLAN 5.

Thanks Bruce! What you're saying makes sense. I will try moving the default gateway to Vlan 5 later this week. What puzzles me though is that clients in Vlan 1 are able to ping/access the switch interfaces on Vlan 5. This must be through the MX since no other device on site has routing enabled currently. So I'm having a hard time wrapping my mind around how the MX is routing traffic between Vlans 1 and 5, as well as Vlan 1 and the VPN, but apparently not between vlan 5 and the VPN, even though Vlan 5 is included. This is why I posted here, thinking it must be an issue on the MX.

 

Just clarifying: Vlan 5 is intended for management but is not yet set to 'management', so it currently behaves like any other Vlan. I'm waiting until I can successfully access the switches on Vlan 5 before I restrict management traffic to that Vlan.

Get notified when there are additional replies to this discussion.