Meraki

Community

Allowed vlans : all is different on smaller MX vs larger MX

Solved
RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 18 2022 5:01 PM
‎Oct 18 2022 5:01 PM

Allowed vlans : all is different on smaller MX vs larger MX

Hi ,

 

I have come across this 'issue' recently , when you configure vlans on a routed MX the behavior of 'allowed vlans: all' is different on a small MX eg:MX68CW versus a larger one eg: MX250. 

 

On a MX250 it is the 'classic' and expected behavior. Allowed vlans : all means  ALL vlans (1-4095) that will be allowed. 

On a MX68CW it is ONLY the vlans that were created that will be allowed.

 

I'm not able to test on all 'large' MXs ( MX100,MX450 ) but I'm sure that this is also the behavior on those.

 

Very unusual to have 2 separate behavior on the same plateform. I just wonder what was the point of it and the goal apart from creating confusion..

Labels:
0 Kudos
1 Accepted Solution
Ryan_Miles
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Oct 19 2022 9:43 AM
‎Oct 19 2022 9:43 AM

@RaphaelL got confirmation there's a bug with certain platforms allowing non local VLAN traffic through. The expected behavior is only MX local VLAN traffic should pass through per this doc.

View solution in original post

15 Replies 15
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Oct 18 2022 5:10 PM
‎Oct 18 2022 5:10 PM

Hardware limitation maybe? 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to BlakeRichardson
RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 18 2022 5:17 PM
‎Oct 18 2022 5:17 PM

Maybe to prevent the smaller MX to forward trafic for non pruned vlans. Might be that , still it is undocumented which is probably my main concern if that's the case

In response to RaphaelL
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Oct 18 2022 6:24 PM
‎Oct 18 2022 6:24 PM

Agreed it should be documented.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
Ryan_Miles
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Oct 18 2022 10:20 PM
‎Oct 18 2022 10:20 PM

Have you opened a Support case for this? It would be good to get it confirmed and noted in documentation if it's expected behavior.

0 Kudos
In response to Ryan_Miles
cmr
Kind of a big deal
Kind of a big deal
‎Oct 19 2022 12:50 AM
‎Oct 19 2022 12:50 AM

I can confirm on an MX75 that only VLANs with a L3 interface on the MX can be selected for a port in access mode, but that's not quite what you asked, is it?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Ryan_Miles
RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 19 2022 5:48 AM
‎Oct 19 2022 5:48 AM

I haven't yet. This is how I would reproduce the 'issue' :

 

On MX250. Create 1 vlan ( 20 )

On both MS350, create 2 uplinks ( trunks , native vlan 20 , allow all vlans ). Create 1 access port with a undefined vlan on the MX ( my case that would be 50 ) 

 

Connect a client a generate multicast / broadcast. You will notice that the packets can transit the MX250 and reach the other MS350

RaphaelL_1-1666183505374.png

 

Do the exact same thing on a MX68 and it won't work since the MX68 will only allow the vlans that it knows ( are defined ) 

 

0 Kudos
alemabrahao
Kind of a big deal
‎Oct 19 2022 3:05 AM
‎Oct 19 2022 3:05 AM

I don't know if this is expected, but I've already validated that on some Switch models you can't allow all VLANs either. An example is MS 390, you can only add from VLAN 1 to 1000.

But as for the MX, I don't think it's exactly a problem since the recommended by best practices is to allow only the VLANs that will be used. 😅

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Ryan_Miles
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Oct 19 2022 7:15 AM
‎Oct 19 2022 7:15 AM

To be clear the MS390 (and Cat9K) only allow 1,000 active VLANs. You can use VLAN IDs higher than 1000. It's covered HERE.

0 Kudos
Ryan_Miles
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Oct 19 2022 9:43 AM
‎Oct 19 2022 9:43 AM

@RaphaelL got confirmation there's a bug with certain platforms allowing non local VLAN traffic through. The expected behavior is only MX local VLAN traffic should pass through per this doc.

In response to Ryan_Miles
RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 19 2022 9:53 AM
‎Oct 19 2022 9:53 AM

Great ! Do we know if there is a fix coming ? Also , can we identify what 'certain platforms' are ? I'm guessing the MX250 is included

 

Thanks a lot !

0 Kudos
In response to RaphaelL
Ryan_Miles
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Oct 19 2022 10:04 AM
‎Oct 19 2022 10:04 AM

My recommendation is open a Support case. They can attach it to a bug and then you'll be updated when it's resolved. As for the platform list - seeking info on that. But from anecdotal info it might be everything MX75 and up.

In response to Ryan_Miles
RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 20 2022 12:42 PM
‎Oct 20 2022 12:42 PM

Well , no success  ( refer to : 08772837 ) : 

 

Hello Raphael,

This is a feature not a bug based on the functionality of the different MXes. There is no fix that will be released and is treated as expected behavior depending on the MX model.


 

@Ryan_Miles I'm confused

0 Kudos
In response to RaphaelL
Ryan_Miles
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Oct 21 2022 12:58 PM
‎Oct 21 2022 12:58 PM

Yes, it does sound like this is a known issue and one that's expected based on specific hardware platforms. So, my calling it a bug was perhaps misleading as that suggests something to be fixed.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 19 2022 11:33 AM
‎Oct 19 2022 11:33 AM

I've run into this before.  Create additional VLANs on the MX.  I used 169.254.x.x addresses on them (dummy addresses).

RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 24 2022 1:13 PM
‎Oct 24 2022 1:13 PM

End of the story : Case is closed. Meraki says that it is normal and expected to have 2 different behavior on the same product familiy. 

 

Well we choose our fights. Clearly lost that one.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.