Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Chicken and egg problem .. copying networks (MX)

thomasthomsen
Head in the Cloud
‎Oct 27 2021 1:48 AM
‎Oct 27 2021 1:48 AM

Chicken and egg problem .. copying networks (MX)

When copying a MX config to a new network how do you edit / handle firewall rules, VLAN and DHCP scopes, when everything you try results in an error.

 

For example, when editing VLAN on the new network, it gives an error because the firewall rules for these networks are then not present.

When I try to remove / edit the firewall rules, then its VLAN and DHCP that's the problem (because the VLAN of course do not have the new IPs in the new ACL, and the DHCP has helper adresses on autovpn (That is of course not up).

 

thomasthomsen_0-1635324223944.png

 

Then if I for fun try to set all DHCP back to using the MX.

I get this error... thats very funny Dashboard ... thats very funny.

thomasthomsen_1-1635324451874.png

(The above networks is used in a RFC1918 Group on the firewall).

 

So cant remove firewall because of DHCP (IP Helper), cant remove DHCP because of firewall, cant edit VLAN because of firewall (and DHCP I see in the error) .... 

What the *beeb* .....

 

What the point of being able to copy a configuration / new equipment to a new network when you cant edit ?

Or am I missing something ?

 

/Thomas

0 Kudos
Subscribe
4 Replies 4
thomasthomsen
Head in the Cloud
‎Oct 27 2021 2:44 AM
‎Oct 27 2021 2:44 AM

So I removed the 192.168.0.0/16 and 172.16.0.0/12 from my RFC1918 Policy (that works fine on the other network).

When doing this, the DHCP part does not report an error when disabling DHCP.

When DHCP was disabled, I could remove all the firewall rules.

And then I could edit the VLAN IPs, re-setup firewall rules, and enable DHCP again (with AutoVPN enabled of course).

 

This cant be right, someone must not have tried this in the real world.

0 Kudos
Subscribe
In response to thomasthomsen
PaulMcG
Getting noticed
‎Oct 27 2021 5:38 AM
‎Oct 27 2021 5:38 AM

I don't know that there's any easy way of copying a network when it comes to this situation, but one trick is to add a new vlan with the new addressing for the site but with a different vlan ID.  Once that's done you can erase any DHCP settings from the unwanted vlan, allowing you to erase that vlan and then just change the vlan ID of the new vlan you created. 

 

That allows you to avoid having to remove any firewall rules that have a class A/B/C source IP.  It's still a pain to do but if you have a lot of firewall rules, it's still easier.

 

It's still faster than starting the network completely from scratch and avoids mismatches between networks.  Another thing to check for that won't generate any errors are traffic shapping rules.  If a rule matches a local subnet, VOIP for instance, and you change the addressing of that subnet for a new site, no error message pops up to say your traffic shapping rule applies to an non-existing subnet.

 

0 Kudos
Subscribe
In response to PaulMcG
thomasthomsen
Head in the Cloud
‎Oct 28 2021 12:34 AM
‎Oct 28 2021 12:34 AM

Well my "pain" was that nomatter where I tried to edit. DHCP, Firewall, or VLAN, there was an error that was dependant on one of the others.

 

I worked around it by removing an RFC1918 object I had created (containing alle the RDC1918 networks).

When the firewall do not "know" of networks (form local or autovpn) that matches IPs in ACLs it just breaks.

This is kinda unfortunate, because in theory you could have prepared a rule for future networks, so you would not have to create or revisit the ACLs again.

 

But I removed this rule, then I could remove DHCP, then I could remove ACL's from the firewall (it is fortunately a short list), and THEN I could edit IP VLAN configuration , and then rebuild DHCP and ACL's.

 

It just seems broken, and I wish there Meraki would really pay attention here.

Somehow let us edit the copied network (on more then one page if they are dependant of each other), and then "commit / save".  if of course there was "mistakes" at that point, fine, give me that error 🙂

 

I dont even know if I can create a new network from another network using API, and somehow, fix / make this better, do anyone know ?

0 Kudos
Subscribe
In response to thomasthomsen
KarstenI
Kind of a big deal
Kind of a big deal
‎Oct 28 2021 1:50 AM
‎Oct 28 2021 1:50 AM

I also have to agree here, this is not implemented "the Meraki way" ...

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.