Help creating a VLAN (more accurately, what I messed up!)

SOLVED
HeyCori
Comes here often

Help creating a VLAN (more accurately, what I messed up!)

Hello everyone!  So I am very new at creating VLANs and using the Meraki dashboard.  Originally, a separate vendor created our network.  The VLAN they set up looks like this,

 

MX: 10.0.255.254

Subnet: 10.0.0.0/16

 

I created a separate VLAN using,

 

MX: 10.30.0.1

Subnet: 10.30.0.0/16

 

However, upon making the changes, I received this message,

 

 

  • The VLAN subnets 10.0.0.0/16 and 10.30.0.0/16 and client VPN subnet 172.31.0.0/24 overlap with the static LAN route subnets 10.0.0.0/8 and 172.16.0.0/12. IP traffic will be routed to the smallest subnet that contains the IP address.

 

I was hoping someone could explain exactly what that means.  Like, will it affect the network, or VPN, in any noticeable way?  

 

Additionally, does anyone have a recommendation for a better way to set up the VLAN as to not receive this message?

 

Thanks!

1 ACCEPTED SOLUTION

Well, start in your dashboard.  Is there any other devices, or networks that you can see that have the IPs in your static routes?  Are the other network devices a different brand than Meraki?  Can you log into those devices, like the DHCP server, or any other device that is part of the network.  

 

If that does not work, try tracing out cables that are connected to your MX, and see where they go, you might find the static route devices if they are onsite, or a part of your local network.  

 

Bottom line is, you have to configure the VLAN on another device it sounds like, not sure what that device is though.  Look for the IP of the DHCP server on your network, is it another router?  There are many tools you can use to find IPs on your network, try some of those.

Go from there!

 

Good luck!

View solution in original post

21 REPLIES 21
PaulMcG
Getting noticed

This is the dashboard telling you that your local subnets overlap with a configured static route.  Even if you created a vlan with a 192.168.x.x subnet, you will still get the same message as your 10.0.0.0/16 as well as client VPN subnets are the reason for the message.

 

Also, creating  a vlan with a /16 mask is unnecessarily large, with over 65,000 possible host adresses.  Most of the time vlans are created with a /24 mask, giving you 254 possible host adresses, as well as less chances of overlaps.

HeyCori
Comes here often

Thanks for the info!  

 

The goal is to create a network that can access the internet but is also separate from our main VLAN.  I'm hoping this will do the trick.  I'm learning a lot of this from scratch since our organization is trying to save money by not calling our vendor. 😆

 

Now that I have the VLAN created, it's just a matter of figuring out how to attach it to certain APs and making sure internet access is still available.  

cmr
Kind of a big deal
Kind of a big deal

@HeyCori take a look at the page found under Security & SD-WAN / Addressing & VLANs, down the bottom you will see where static routes are configured, do you see 10.0.0.0/8 there?

cmr_0-1635961056613.png

 

HeyCori
Comes here often

Yes.  I see the 10.0.0.0/8 along with a few other static routes. 

cmr
Kind of a big deal
Kind of a big deal

@HeyCori you might want to change it, you shouldn't really have static routes overlapping with VLAN subnets, as although it should route correctly, it is very confusing to look at!  Though if you have a lot of other 10.x networks that the static route is pointing towards, then this might be the tidiest option...

HeyCori
Comes here often

Are you suggesting that I need to create another static route for the VLAN to work on? 

cmr
Kind of a big deal
Kind of a big deal

@HeyCori I think you'll be okay as the flow would be like this:

 

  1. Packet destined for 10.0.0.0/16 network - as there is a VLAN interface on 10.0.255.254, it will head for this
  2. Packet destined for 10.30.0.0/16 network - as there is a VLAN interface on 10.30.0.1, it will head for this
  3. Packet destined for anything else on the 10.0.0.0/8 network (i.e. 10.1.2.3) - it will follow the static route

 

If you have a lot of cases where 3. would apply then I'd leave as is, if not many, then I would have more specific static routes that did not overlap with the subnets used in the local VLANs.  i.e. if the only other 10.x network was 10.1.0.0/16 then I'd change the existing static route for 10.0.0.0/8 to that.

HeyCori
Comes here often

Yes, we have several sites that range from 10.0 - 10.11.  If I'm understanding you correctly, because we fall under scenario 3, I should leave the static routes as they are.  

 

Right now I'm trying to figure out why I can't access the internet.  As a test, I have one AP broadcasting the network I want to segregate. 

 

Within that SSID, I have the VLAN ID set to 3, same as the VLAN I just made.  

 

I can connect to that network but I can't access the internet so I must be missing a step somewhere.  

 

EDIT: Meant to add that when I connect to the SSID, I get a 169. IP address instead of something on the network. 

Sounds like your new VLAN-3 does not have DHCP configured, if you are getting a 169. self assigned IP.  Go to Security & SD-WAN then DHCP, on your Meraki dashboard, then check and see if your VLAN-3 is configured to hand out IPs in the correct subnet.

 

 

HeyCori
Comes here often

I haven't forgotten about this.  Unfortunately, I'm knee deep in setting up our new library and I keep getting hit with one problem after another. 🤣😭

 

I did talk to our of our network guys and he said he's also going to check it out when he gets a chance. 

 

But to answer MCITDept.  

 

I switched the VLAN to "Do not respond to DHCP requests" because that is what VLAN 1 is set to.  Sadly, that didn't resolve the issue.  However, I have a device for testing which I gave a static IP to, and I can see it on the network, I just can't get access to the Internet.  

If you also have VLAN-1 set to NOT hand out DHCP, then either you must assign static IPs to everything, or you have another device on-site that is handing out DHCP addresses. Since you are getting a 169 address in VLAN-3, something else has to hand out IPs, or you have to turn DHCP on, on the MX.

 

Do you have another router that is acting as the DHCP server?  It looks like you have a tremendous amount of IPs in your network, with the /16 setup.  If you just need to add a new VLAN, and just get internet access on it, then as long as the MX you are configuring this on, is the main router, then I would set it up in a different subnet than 10.x.x.x.  Something like 192.168.x.x, a subnet you are not using or will not overlap anywhere. 

 

Then just set up firewall rules to block the communication between all your other subnets, and the new one.  Unless we are not seeing the whole picture, which seems pretty likely, it should not be too hard.

 

Sadly, it is hard to say what is right without knowing more about your configuration, and what you are doing.

HeyCori
Comes here often

We do have another device onsite for DHCP addresses.  I set VLAN 3 to "Relay DHCP to another server" and then added the IP address for that server.  However, the DHCP is on a 10.0 and not the 10.30 I was attempting to set up, so I'm guessing that's why they're not talking to each other.  

 

If I were to add a 192.168.x.x, would I still have to assign static IP addresses?  

PhilipDAth
Kind of a big deal

Where do the static routes point to?  Do you actually need those static routes?

I know one of the static routes is labeled as our public IP block, and the other is our internal network.  There are two more which our vendor set up but I'm not sure what they are used for.  

OK, is the second router the main gateway to the internet, is it even the main router?  We know you have at least two routers at this location, are those all the routers at this location?  Or are there others that those static routes point to?  

 

Please give us more information, as it is too hard to imagine what you have, and help you.  You can change the information or IPs, so you don't give out anything you need to keep private.

HeyCori
Comes here often

We have 4 static routes.  Each one with a different subnet range.  Two I recognize because it's our internal, 10.x and our public IP, 152.x.  The two others (192.x and 172.x) we don't usually do anything with.  And they all use the same gateway IP.  

 

I hope that was the information you were looking.

 

Thanks!

Do you know what the static routes point to? A layer 3 switch?  Another router? Need more.

HeyCori
Comes here often

As far as I can tell, the 10.0 points to what we have labeled as our MDF Core.  Where do I look to see where all the static routes point to?  

 

Thanks!

 

Note: I'm on a small vaca after today so I won't be able to do any tinkering until next week. 

Well, start in your dashboard.  Is there any other devices, or networks that you can see that have the IPs in your static routes?  Are the other network devices a different brand than Meraki?  Can you log into those devices, like the DHCP server, or any other device that is part of the network.  

 

If that does not work, try tracing out cables that are connected to your MX, and see where they go, you might find the static route devices if they are onsite, or a part of your local network.  

 

Bottom line is, you have to configure the VLAN on another device it sounds like, not sure what that device is though.  Look for the IP of the DHCP server on your network, is it another router?  There are many tools you can use to find IPs on your network, try some of those.

Go from there!

 

Good luck!

HeyCori
Comes here often

After a few days off, I came back to this and got approval to bring in help from our vendor NSI.  Maaaan did I open a can of worms.  We made a few changes but primarily the biggest issue is that the switches/ports aren't trunked.  And in order to get the new VLAN working system wide, they will need to be trunked.  Now our vendor is going to assist in getting all the devices updated.  Thanks to everyone for their assistance.  You basically help me get like 75% of the way there!  I didn't realize this was going to be a major overhaul beforehand!

I can't tell you how many times I didn't realize how big a change was going to be beforehand.  It always seems to find a way to affect more than what you first realize.  Good you got things figured out, and are getting some help with getting it right.  You must have a pretty huge network, and a complicated one at that.  Good luck!

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels