cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Allowed vlans : all is different on smaller MX vs larger MX

SOLVED
Go to solution
RaphaelL
Kind of a big deal
Kind of a big deal
‎10-18-2022 05:01 PM
‎10-18-2022 05:01 PM

Allowed vlans : all is different on smaller MX vs larger MX

Hi ,

 

I have come across this 'issue' recently , when you configure vlans on a routed MX the behavior of 'allowed vlans: all' is different on a small MX eg:MX68CW versus a larger one eg: MX250. 

 

On a MX250 it is the 'classic' and expected behavior. Allowed vlans : all means  ALL vlans (1-4095) that will be allowed. 

On a MX68CW it is ONLY the vlans that were created that will be allowed.

 

I'm not able to test on all 'large' MXs ( MX100,MX450 ) but I'm sure that this is also the behavior on those.

 

Very unusual to have 2 separate behavior on the same plateform. I just wonder what was the point of it and the goal apart from creating confusion..

Labels:
0 Kudos
Subscribe
1 ACCEPTED SOLUTION
Ryan_Miles
Meraki Employee
Meraki Employee
‎10-19-2022 09:43 AM
‎10-19-2022 09:43 AM

@RaphaelL got confirmation there's a bug with certain platforms allowing non local VLAN traffic through. The expected behavior is only MX local VLAN traffic should pass through per this doc.

View solution in original post

Subscribe
15 REPLIES 15
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎10-18-2022 05:10 PM
‎10-18-2022 05:10 PM

Hardware limitation maybe? 

www.btr.net.nz
0 Kudos
Subscribe
In response to BlakeRichardson
RaphaelL
Kind of a big deal
Kind of a big deal
‎10-18-2022 05:17 PM
‎10-18-2022 05:17 PM

Maybe to prevent the smaller MX to forward trafic for non pruned vlans. Might be that , still it is undocumented which is probably my main concern if that's the case

Subscribe
In response to RaphaelL
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎10-18-2022 06:24 PM
‎10-18-2022 06:24 PM

Agreed it should be documented.

www.btr.net.nz
0 Kudos
Subscribe
Ryan_Miles
Meraki Employee
Meraki Employee
‎10-18-2022 10:20 PM
‎10-18-2022 10:20 PM

Have you opened a Support case for this? It would be good to get it confirmed and noted in documentation if it's expected behavior.

0 Kudos
Subscribe
In response to Ryan_Miles
cmr
Kind of a big deal
Kind of a big deal
‎10-19-2022 12:50 AM
‎10-19-2022 12:50 AM

I can confirm on an MX75 that only VLANs with a L3 interface on the MX can be selected for a port in access mode, but that's not quite what you asked, is it?

0 Kudos
Subscribe
In response to Ryan_Miles
RaphaelL
Kind of a big deal
Kind of a big deal
‎10-19-2022 05:48 AM
‎10-19-2022 05:48 AM

I haven't yet. This is how I would reproduce the 'issue' :

 

On MX250. Create 1 vlan ( 20 )

On both MS350, create 2 uplinks ( trunks , native vlan 20 , allow all vlans ). Create 1 access port with a undefined vlan on the MX ( my case that would be 50 ) 

 

Connect a client a generate multicast / broadcast. You will notice that the packets can transit the MX250 and reach the other MS350

RaphaelL_1-1666183505374.png

 

Do the exact same thing on a MX68 and it won't work since the MX68 will only allow the vlans that it knows ( are defined ) 

 

0 Kudos
Subscribe
alemabrahao
Kind of a big deal
Kind of a big deal
‎10-19-2022 03:05 AM
‎10-19-2022 03:05 AM

I don't know if this is expected, but I've already validated that on some Switch models you can't allow all VLANs either. An example is MS 390, you can only add from VLAN 1 to 1000.

But as for the MX, I don't think it's exactly a problem since the recommended by best practices is to allow only the VLANs that will be used. 😅

0 Kudos
Subscribe
In response to alemabrahao
Ryan_Miles
Meraki Employee
Meraki Employee
‎10-19-2022 07:15 AM
‎10-19-2022 07:15 AM

To be clear the MS390 (and Cat9K) only allow 1,000 active VLANs. You can use VLAN IDs higher than 1000. It's covered HERE.

0 Kudos
Subscribe
Ryan_Miles
Meraki Employee
Meraki Employee
‎10-19-2022 09:43 AM
‎10-19-2022 09:43 AM

@RaphaelL got confirmation there's a bug with certain platforms allowing non local VLAN traffic through. The expected behavior is only MX local VLAN traffic should pass through per this doc.

Subscribe
In response to Ryan_Miles
RaphaelL
Kind of a big deal
Kind of a big deal
‎10-19-2022 09:53 AM
‎10-19-2022 09:53 AM

Great ! Do we know if there is a fix coming ? Also , can we identify what 'certain platforms' are ? I'm guessing the MX250 is included

 

Thanks a lot !

0 Kudos
Subscribe
In response to RaphaelL
Ryan_Miles
Meraki Employee
Meraki Employee
‎10-19-2022 10:04 AM
‎10-19-2022 10:04 AM

My recommendation is open a Support case. They can attach it to a bug and then you'll be updated when it's resolved. As for the platform list - seeking info on that. But from anecdotal info it might be everything MX75 and up.

Subscribe
In response to Ryan_Miles
RaphaelL
Kind of a big deal
Kind of a big deal
‎10-20-2022 12:42 PM
‎10-20-2022 12:42 PM

Well , no success  ( refer to : 08772837 ) : 

 

Hello Raphael,

This is a feature not a bug based on the functionality of the different MXes. There is no fix that will be released and is treated as expected behavior depending on the MX model.


 

@Ryan_Miles I'm confused

0 Kudos
Subscribe
In response to RaphaelL
Ryan_Miles
Meraki Employee
Meraki Employee
‎10-21-2022 12:58 PM
‎10-21-2022 12:58 PM

Yes, it does sound like this is a known issue and one that's expected based on specific hardware platforms. So, my calling it a bug was perhaps misleading as that suggests something to be fixed.

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎10-19-2022 11:33 AM
‎10-19-2022 11:33 AM

I've run into this before.  Create additional VLANs on the MX.  I used 169.254.x.x addresses on them (dummy addresses).

0 Kudos
Subscribe
RaphaelL
Kind of a big deal
Kind of a big deal
‎10-24-2022 01:13 PM
‎10-24-2022 01:13 PM

End of the story : Case is closed. Meraki says that it is normal and expected to have 2 different behavior on the same product familiy. 

 

Well we choose our fights. Clearly lost that one.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2023 Meraki