@PhilipDAth I don't follow you. If I have a voice subnet on my LAN that needs to traverse a L2L tunnel, I don't want to put an SVI for that subnet on the MX and expose L2 voice traffic to my edge device. I would rather my core L3 device receive those packets first, apply any QoS and then route them (using default route) to the firewall. But because the MX doesn't have an SVI on the voice subnet in this scenario, it won't like receiving packets stamped with a different VLAN. This effectively wastes the default route. Some topology for discourse: data VLAN 1 = 192.168.1.0/24 voice VLAN 2 = 10.10.10.0/24 L3 gw = 10.10.10.1, 192.168.1.1 [default route: 0.0.0.0/0 192.168.1.2] MX = 192.168.1.2 (assume it has route for voice sub) phone 10.10.10.2 => L3 gw 10.10.10.1 => default route => MX 192.168.1.2 => ** VLAN mismatch** An ASA does not have a VLAN mismatch problem when packets from other subnets are routed to it. Routing is a function of L3, not L2, so why is the MX looking at VLAN tags on L3? Routing happens at L3 so I don't see the value in enforcing the VLAN match.
... View more