The scenario is the next:
A have Central point a firewall it is pemit the trafic from network 10.5.2./24 forwad meraki central point ,
The meraki headquarter has the network 10.5.2.0/24.
I want to isolate a device in other network , for this reason . I braked up the network from /24 to /25 .
I craetd on the meraki two networks
vlan 3 10.5.2.0/25 //
GW 10.5.2.2
vlan 4
10.5.2.128/25 // GW 10.5.2.254
I pluged device on diferent meraki port with a Ip address 10.5.2.129 /25 MX ip 10.5.2.254.
From the meraki trought the vlan 3 ( network 10.5.2.0/25) I try to hit via ping the 10.5.2.129 /25 but it was impossible .
May be I will need a static router isen`t it ?
Also I have a doubt When the traffic reach the firewall it has the ip 10.5.2.0/24 could be a problem ? on the firwall I would have to partition the network in two /25 . I don´t remember the routing rules when you break up a network on small pice and you have the main network .
Solved! Go to solution.
@athan1234 Have you tried ping from the VLAN11 interface on the MX to the client with IP address .180? That will confirm that the device is on the network. Remember, you need to change the subnet mask on ALL the clients to /25 (so, 255.255.255.128) so that they ‘know’ that IP addresses above .128 need to be accessed by their default gateway.
Are you saying the Meraki MX has two VLANs configured, VLAN3 and VLAN4? Are you saying the Meraki has the configuration:
VLAN3: 10.5.2.2/25
VLAN4: 10.5.2.254/25
Have you configured the MX to have a trunk port with these two VLANs on it, or have you configure some access ports, one in each VLAN?
@athan1234 you shouldn’t need a static route on the MX. The MX will route between its interfaces without a static route. The MX firewall rules should allow traffic between the VLANs by default, but check those rules too - the ‘outbound’ firewall rules apply to traffic between VLANs.
Your central firewall won’t know whether the traffic is from a /24 or /25 network, so that won’t matter. You should check your devices, what OS are they running? Some have a local firewall that could be restricting traffic from the other subnet - now that the other device is in a different subnet.
Thanks a lot of for the replies
I attach you some images @Bruce and @PhilipDAth
The device ip machine is .180 ( I can not see the configuration of this device , but i asked to my client the gateway is .254) maybe it is the problem because if the device has other geteway .254 maybe it is the problem , but my customer tells me the Geteway is the correct .254.
Only there isent comunication betewwen vlan 10 and vlan 11 . inside Meraki
@athan1234 Have you tried ping from the VLAN11 interface on the MX to the client with IP address .180? That will confirm that the device is on the network. Remember, you need to change the subnet mask on ALL the clients to /25 (so, 255.255.255.128) so that they ‘know’ that IP addresses above .128 need to be accessed by their default gateway.
Hi @Bruce thanks for your reply . I changed the mask on all device and I get ping between both networks .
So thanks 🙏