VLAN Troubleshooting Patterns

VLAN troubleshooting patterns I’ve actually used. Every entry has a date and context.

Entries

2026-04-02: VLAN Segmentation Blocking Service Access

Problem: Vault SSH certificate signing failed — workstation on DOMUS-Secure VLAN (10.50.10.x) can’t reach Vault on management VLAN.

Context: P16g deployment. EAP-TLS authentication puts the machine on a segmented VLAN. Anti-pivot firewall rules block cross-VLAN access by design. Vault needs explicit firewall rules for authorized VLAN access.

The Pattern: VLAN segmentation is working as designed — it prevents lateral movement. But services like Vault, DNS, and NTP need explicit firewall rules allowing access from authorized VLANs. The fix is not to weaken segmentation, but to add targeted permit rules for required services.

Rule: When services fail after VLAN assignment, check firewall rules between VLANs. Security segmentation is the cause, not a bug.

Worklog: WRKLOG-2026-04-02

2026-03-05: VyOS VLAN Subinterface Verification

Problem: Need to verify multiple VLAN subinterfaces are up after VyOS configuration.

Context: VyOS router troubleshooting. Multiple VLANs configured on a single physical interface with subinterfaces.

The Fix:

# Check multiple VLANs at once
show interfaces | grep -E 'eth0\.(20|30|40)'
# Verify bridge membership
bridge link show | grep -E "eno8.*master"

Rule: Use grep -E alternation to check multiple VLANs simultaneously.

Worklog: WRKLOG-2026-03-05

2026-04-03: Verify VLAN Assignment After EAP-TLS Migration

Problem: After migrating from iPSK (DOMUS-IoT) to EAP-TLS (DOMUS-Secure), need to confirm the machine moved to the correct VLAN.

Context: P16g deployment. ISE authorization policy assigns different VLANs based on authentication method. iPSK gets IoT VLAN, EAP-TLS gets Secure VLAN.

The Fix:

# Check IP -- should be on DOMUS-Secure VLAN, not IoT VLAN
ip -4 addr show | awk '/inet / && !/127.0.0.1/ {print $NF, $2}'
# Verify active connections
nmcli connection show --active | grep -E "Domus-Wired|Domus-WiFi"
# ISE verification -- confirm dot1x, not mab
netapi ise dc query "
SELECT mac_address, authentication_method, passed, timestamp
FROM radius_authentications
WHERE mac_address IN ('<WIRED-MAC>', '<WIFI-MAC>')
  AND timestamp > SYSDATE - 1
ORDER BY timestamp DESC
"

Rule: After changing authentication method, verify VLAN assignment changed too. ISE authZ policy drives VLAN — check both the client IP and ISE session data.

Worklog: WRKLOG-2026-04-03

Template