VLAN mismatch when there is no mismatch

SOLVED
johnhinckley
Comes here often

VLAN mismatch when there is no mismatch

I frequently see MX appliances gripe about a VLAN mismatch when there clearly is no mismatch. Not only does the subnet match the VLAN but the logged event is not even applicable because this is 100% routed traffic; the MX does not RX/TX on a VLAN interface.    

 

Here is an MX log snippet of some mismatches: 

 

VLAN_mismatch.png

 

Here's one of the clients as it shows in the switch; as you can see, it's on the correct VLAN:

CLIENT_MAC.png

 

Here is the MX route for the subnet the client (above) is using:

VLAN_63_ROUTE.png

 

I see nothing mis-configured, so can someone please explain to me why the MX is logging a mismatch here?  An ASA would have zero problem with this configuration and I don't understand why the MX does.

 

 

Thanks,

John

 

1 ACCEPTED SOLUTION
ww
Kind of a big deal
Kind of a big deal

You  can check using  the packet capture on the lan side of the mx. You could also force the specific allowed  vlan instead  of trunk  all.

View solution in original post

8 REPLIES 8
NolanHerring
Kind of a big deal

Can you show us how the port on the MX is configured please 😃
Nolan Herring | nolanwifi.com
TwitterLinkedIn
NolanHerring
Kind of a big deal

And the port on the switch the MX connects to
Nolan Herring | nolanwifi.com
TwitterLinkedIn

Kinda replying to everyone here.  Here's a lousy diagram of the connectivity:

 

mx-sw-cnct-diag.png

 

The MX connects to a pass-through interface on a barracuda filter and then hands off the traffic to the core switch on a trunked interface using native vlan 1.  The MX only has 2 VLAN interfaces, VLAN 1 for data traffic and VLAN 99 which it uses to hand out mgmt DHCP addresses to the Meraki gear (switches, APs, etc).  

 

Here is the trunk ifc to the barracuda pass-through:

 

trunk-to-cuda.png

 

As far as the MX LAN port, there really isn't much to configure there except speed/duplex, so I'm not sure why you'd want to see that. It's currently set to auto/auto. 

 

Before everyone throws their hands up over the Barracuda....it's just bridging the traffic and watching it as it passes through and that's it.  Completely L2.  The mechanism for blocking the client is handled from a different interface on the LAN side (VLAN 1). So it's not doing anything to the traffic.  

 

So the flow is this:  Inet => MX (access vlan 500) => MX LAN ifc => Bcuda L2 => MS350 Trunked on native 1 => Client or access switch => Client

 

The MX can only talk on VLANs 1 & 99.  All the mismatched VLAN messages are referencing subnets which are being *routed* between the MX and the LAN.  L2 should not be involved except to ID the transport VLAN (1 or 99).

 

This is not a very sophisticated flow at all.   

 

Firmware on the MX is up to date:

 

FIRMWARE
Up to date
Current version: MX 14.40

 

 

-John

 

 

Is this happening because the trunk link to the switch is passing the broadcast traffic from all VLANs?  I can't see any other potential reason for the mismatch. 

ww
Kind of a big deal
Kind of a big deal

You  can check using  the packet capture on the lan side of the mx. You could also force the specific allowed  vlan instead  of trunk  all.

johnhinckley
Comes here often

This was my next step anyway.  I'll lock it down to 1,99 and see if the mismatch goes away. 

 

IMO, the MX should just be dropping broadcast traffic that doesn't match any of its VLAN interfaces instead of processing it and complaining about a mismatch.  The events don't show L2 broadcasts so why would its L3 interface even care about packets from subnets it doesn't have an interface for?  Its L2 should not even be handing those packets off to L3.  

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

That does look wrong.  Are you running a recent release of the MX firmware?

ww
Kind of a big deal
Kind of a big deal

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels