Allowed vlans : all is different on smaller MX vs larger MX

SOLVED
RaphaelL
Kind of a big deal
Kind of a big deal

Allowed vlans : all is different on smaller MX vs larger MX

Hi ,

 

I have come across this 'issue' recently , when you configure vlans on a routed MX the behavior of 'allowed vlans: all' is different on a small MX eg:MX68CW versus a larger one eg: MX250. 

 

On a MX250 it is the 'classic' and expected behavior. Allowed vlans : all means  ALL vlans (1-4095) that will be allowed. 

On a MX68CW it is ONLY the vlans that were created that will be allowed.

 

I'm not able to test on all 'large' MXs ( MX100,MX450 ) but I'm sure that this is also the behavior on those.

 

Very unusual to have 2 separate behavior on the same plateform. I just wonder what was the point of it and the goal apart from creating confusion..

1 ACCEPTED SOLUTION
Ryan_Miles
Meraki Employee
Meraki Employee

@RaphaelL got confirmation there's a bug with certain platforms allowing non local VLAN traffic through. The expected behavior is only MX local VLAN traffic should pass through per this doc.

View solution in original post

15 REPLIES 15
BlakeRichardson
Kind of a big deal
Kind of a big deal

Hardware limitation maybe? 

Maybe to prevent the smaller MX to forward trafic for non pruned vlans. Might be that , still it is undocumented which is probably my main concern if that's the case

Agreed it should be documented.

Ryan_Miles
Meraki Employee
Meraki Employee

Have you opened a Support case for this? It would be good to get it confirmed and noted in documentation if it's expected behavior.

cmr
Kind of a big deal
Kind of a big deal

I can confirm on an MX75 that only VLANs with a L3 interface on the MX can be selected for a port in access mode, but that's not quite what you asked, is it?

RaphaelL
Kind of a big deal
Kind of a big deal

I haven't yet. This is how I would reproduce the 'issue' :

 

On MX250. Create 1 vlan ( 20 )

On both MS350, create 2 uplinks ( trunks , native vlan 20 , allow all vlans ). Create 1 access port with a undefined vlan on the MX ( my case that would be 50 ) 

 

Connect a client a generate multicast / broadcast. You will notice that the packets can transit the MX250 and reach the other MS350

RaphaelL_1-1666183505374.png

 

Do the exact same thing on a MX68 and it won't work since the MX68 will only allow the vlans that it knows ( are defined ) 

 

alemabrahao
Kind of a big deal
Kind of a big deal

I don't know if this is expected, but I've already validated that on some Switch models you can't allow all VLANs either. An example is MS 390, you can only add from VLAN 1 to 1000.

But as for the MX, I don't think it's exactly a problem since the recommended by best practices is to allow only the VLANs that will be used. 😅

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

To be clear the MS390 (and Cat9K) only allow 1,000 active VLANs. You can use VLAN IDs higher than 1000. It's covered HERE.

Ryan_Miles
Meraki Employee
Meraki Employee

@RaphaelL got confirmation there's a bug with certain platforms allowing non local VLAN traffic through. The expected behavior is only MX local VLAN traffic should pass through per this doc.

RaphaelL
Kind of a big deal
Kind of a big deal

Great ! Do we know if there is a fix coming ? Also , can we identify what 'certain platforms' are ? I'm guessing the MX250 is included

 

Thanks a lot !

My recommendation is open a Support case. They can attach it to a bug and then you'll be updated when it's resolved. As for the platform list - seeking info on that. But from anecdotal info it might be everything MX75 and up.

RaphaelL
Kind of a big deal
Kind of a big deal

Well , no success  ( refer to : 08772837 ) : 

 

Hello Raphael,

This is a feature not a bug based on the functionality of the different MXes. There is no fix that will be released and is treated as expected behavior depending on the MX model.


 

@Ryan_Miles I'm confused

Yes, it does sound like this is a known issue and one that's expected based on specific hardware platforms. So, my calling it a bug was perhaps misleading as that suggests something to be fixed.

PhilipDAth
Kind of a big deal
Kind of a big deal

I've run into this before.  Create additional VLANs on the MX.  I used 169.254.x.x addresses on them (dummy addresses).

RaphaelL
Kind of a big deal
Kind of a big deal

End of the story : Case is closed. Meraki says that it is normal and expected to have 2 different behavior on the same product familiy. 

 

Well we choose our fights. Clearly lost that one.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels