Meraki

Community

Source IP and/or VLAN mismatch-Meraki MX-64!

Dena
Here to help
‎Oct 22 2019 7:35 AM
‎Oct 22 2019 7:35 AM

Source IP and/or VLAN mismatch-Meraki MX-64!

Hello All,

I am getting a lot of events: "Source IP and/or VLAN mismatch" from one device (I think is a camera).

source_client_ip: 192.168.1.15, source_client_mac: 28:F3:66:AC:C2:83, source_client_assigned_vlan: 10  « hide

last_illegal_ip192.168.16.106
client_total_illegal_packets19828
all_total_illegal_packets20942
last_reported_total20906

 

I dont understand why! Anyone have any idea?

 

Thank you,

Dena

0 Kudos
14 Replies 14
NolanHerring
Kind of a big deal
‎Oct 22 2019 7:54 AM
‎Oct 22 2019 7:54 AM

What subnet is your VLAN 10 supposed to be?
Does the camera have a static IP configured on the wrong subnet for the VLAN its sitting on?
Nolan Herring | nolanwifi.com
TwitterLinkedIn
In response to NolanHerring
Dena
Here to help
‎Oct 22 2019 8:01 AM
‎Oct 22 2019 8:01 AM

VLAN 10 (192.168.1.0/24) is the only vlan for all the devices. I have installed the MX a couple days ago. I didn't segmented the network.

 

Well I think is a static IP configured but in the same range (192.168.1.0/24).

 

It seems strange that on the event, it shows :

last_illegal_ip192.168.16.103

 

0 Kudos
In response to Dena
Nash
Kind of a big deal
‎Oct 22 2019 8:03 AM
‎Oct 22 2019 8:03 AM

@Dena, when you look at your Clients list, do you see the camera listed? What IP address do you see on it there?

 

I would recommend segmenting your network if you can. I realize it depends on the rest of your equipment. Was it previously segmented?

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
In response to Nash
Dena
Here to help
‎Oct 22 2019 8:36 AM
‎Oct 22 2019 8:36 AM

No it was not segmented before.
0 Kudos
In response to Dena
NolanHerring
Kind of a big deal
‎Oct 22 2019 8:04 AM
‎Oct 22 2019 8:04 AM

Ok so the error is clear then, its getting packets from a device saying its on 192.168.16.0/24 for the VLAN that is 192.168.1.0/24

You're probably going to need to track that device down, it might have something misconfigured, maybe DNS or something strange.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
Dena
Here to help
‎Oct 22 2019 8:34 AM
‎Oct 22 2019 8:34 AM

Yes I can see it, is receiving Ip 192.168.1.15. 

But the event keep showing again.

 

I will try to check that device closer.

 

Thank you

0 Kudos
In response to Dena
HitoshiH
Meraki Employee
Meraki Employee
‎Oct 22 2019 7:23 PM
‎Oct 22 2019 7:23 PM

Hi @Dena,

 

If the target device reported on the event has been connected LAN interface or sitting downstream through the LAN interface on MX,

You can try taking packet capture and filter by the mac address to see which VLAN ID is actually added in layer 2 header for the confirmation.

 

You can take packet capture from:

Network-wide > Packet capture > Set Security appliance as the target device and LAN port as target interface, then download it as .pcap format for you to load and analyse it on your Wireshark.

You can filter by "eth.addr:'Target mac address'" helps you to see traffic from / to the mac address.

 

Hope this would help your confirmation!

~~If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.~~

The Meraki ECMS exam is now live! Test your knowledge of Meraki and become an official Cisco Meraki Solutions Specialist. More info on the ECMS exam found here.

For information regarding all of Meraki's training offerings, be sure to check out the Meraki Learning Hub.
0 Kudos
In response to HitoshiH
Dena
Here to help
‎Oct 22 2019 11:58 PM
‎Oct 22 2019 11:58 PM

Hi hintoshi,

Thank you for your advice.

yes I have tried to sniff the packed but nothing is captured for this device.

Capture.png

event logs.png

 

Kind regards,

Dena

0 Kudos
In response to Dena
HitoshiH
Meraki Employee
Meraki Employee
‎Oct 23 2019 1:07 AM
‎Oct 23 2019 1:07 AM

Hi @Dena,

 

Okay, it sounds like the device had not been generating traffic through LAN ports on the MX during the packet capture was going.

 

If the device is not generating traffic all time, you could try generating ICMP ping from MX to the device through live tool and take packet capture during the period to see return traffic from the device which would help you to see traffic from it.

 

Hope this would help!

~~If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.~~

The Meraki ECMS exam is now live! Test your knowledge of Meraki and become an official Cisco Meraki Solutions Specialist. More info on the ECMS exam found here.

For information regarding all of Meraki's training offerings, be sure to check out the Meraki Learning Hub.
0 Kudos
In response to HitoshiH
Dena
Here to help
‎Oct 23 2019 4:11 AM
‎Oct 23 2019 4:11 AM

Hi Hitoshi,
I did performed ping as you advice me (although I can see that the device is doing traffic).
I cannot capture nothing from any client devices. The only captured traffic is of the routerboard that face the ISP (LAN-Meraki-Routerboard-ISP).

Thank you,
Denisa
0 Kudos
In response to Dena
HitoshiH
Meraki Employee
Meraki Employee
‎Oct 23 2019 6:06 PM
‎Oct 23 2019 6:06 PM

Hi @Dena ,

 

Thanks for the update.

 

Do you mean you have captured interface toward WAN side rather than LAN side?

If you want to confirm how the VLAN ID in L2 header is, you need to capture the interface toward client side.

 

If the client sits on downstream of your network through LAN ports on MX, you can select "Interface" dropdown menu on Packet capture page to "LAN", and run the packet capture for LAN interface.

 

Hope this would help you out!

~~If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.~~

The Meraki ECMS exam is now live! Test your knowledge of Meraki and become an official Cisco Meraki Solutions Specialist. More info on the ECMS exam found here.

For information regarding all of Meraki's training offerings, be sure to check out the Meraki Learning Hub.
In response to HitoshiH
Dena
Here to help
‎Oct 24 2019 12:35 AM
‎Oct 24 2019 12:35 AM

Hi Hitoshi,

 

:)' my bad, I didn't notice the interface selection was Internet.

 

However I cannot understand a lot from the packet-capture. There are all the time arp packets between meraki and this linux device Shenzhen Bilian.

 

Wireshark.PNG

Then came up this IP 192.168.16.104 😕

 

Thank you for your help,

 

Kind Regards,

Denisa

In response to Dena
HitoshiH
Meraki Employee
Meraki Employee
‎Oct 24 2019 12:48 AM
‎Oct 24 2019 12:48 AM

Hi @Dena ,

 

No problem at all!

I am happy to see that you have captured actual traffic from the target device for your clarification.

 

You can copy same idea for that kind of clarification in future by using packet capture tool on your dashboard.

 

Enjoy your MX!!

~~If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.~~

The Meraki ECMS exam is now live! Test your knowledge of Meraki and become an official Cisco Meraki Solutions Specialist. More info on the ECMS exam found here.

For information regarding all of Meraki's training offerings, be sure to check out the Meraki Learning Hub.
In response to Dena
VictorLavigne
Comes here often
‎Aug 23 2022 11:47 AM
‎Aug 23 2022 11:47 AM

Hi Dena,

 

Did you discover the real problem?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.