Interlan communication and internet conectivity help

Solved
SGD
Here to help

Interlan communication and internet conectivity help

I have three vlans setup on the mx80, and they intercommunicate just fine. The problem is I only get internet connectivity on vlan1.

 

All Lans communicate through a single mx80 port configured to LAN1 trunk with allow all vlans set. Other than experience, what am i missing here to achieve internet across all vlans while still using a single port configuration?

 

Thanks in advance.

1 Accepted Solution
PresITsupport
Here to help

Maybe this might work.

 

MX LAN port - Trunk native vlan 1 allowed vlans , 2 & 3 or all vlans

 

TP-link port connected to MX - trunk port - pvid 1, tagged 2&3

 

TP-link port connected to patch panel that connects to Vlan 2 device - pvid 2

 

TP-link port connected to patch panel that connects to vlan 3 device - pvid 3

 

Or  you can try

 

MX LAN port connects TP link - Turnk port with native vlan - drop all untagged packets, allowed vlans - 1,2,3

 

TP-link port connects to MX - Trunk port with tag 1,2,3

 

TP-link port connected to patch panel that connects to Vlan 2 device - pvid 2

 

TP-link port connected to patch panel that connects to vlan 3 device - pvid 3

View solution in original post

25 Replies 25
PhilipDAth
Kind of a big deal
Kind of a big deal

I'm not clear from your description your configuration.

 

Are you saying you have three VLANs configured on the MX80 - or is something else doing the VLAN routing in your network?

SGD
Here to help

Thank you for your reply. Yes, 3 vlans configured on the mx80, and they inter communicate just fine, though only vlan1 has internet access. 

 

Mx80 port0/2 (lan1 trunk allow all vlans)  -> tp-link switch -> patch bay 

PhilipDAth
Kind of a big deal
Kind of a big deal

Are there any group policies applied on the VLAN interfaces on the MX?

 

I assume the MX is providing DHCP for all three VLANs?

SGD
Here to help

No group policies affecting any vlans on mx, and yes dhcp is configured for all vlans.
PhilipDAth
Kind of a big deal
Kind of a big deal

Click on a client that is not working, and then in the bottom left hand corner click on "Show Details".  What do you see?  What is applied to that client?

 

Screenshot from 2018-01-16 08-32-13.png

SGD
Here to help

PhillipDAth, Bandwidth unlimited, no layer 3 rules, no layer 7 rules, traffic snapping unlimited voip & video conferencing.

PhilipDAth
Kind of a big deal
Kind of a big deal

On your MX:

  • What are the IP address and subnet configured on each of the three VLANs

On an example client from each VLAN (so give me three answers):

  • What is the IP address, subnet mask, default gateway and DNS

 

SGD
Here to help

Vlan1
10.0.0.0/24
10.0.0.1 gateway
8.8.8.8 dns

Vlan2
10.0.5.0/24
10.0.0.1 gateway
8.8.8.8 dns

Vlan3
10.10.0.0/24
10.0.0.1 gateway
8.8.8.8 dns
PhilipDAth
Kind of a big deal
Kind of a big deal

VLAN2 and VLAN3 are not correctly configured.

 

If you have an IP address in the 10.0.5.0/24 subnet you must have a default gateway from that same subnet (such as 10.0.5.1/24).  Ditto for the 10.10.0.0/24 network.

SGD
Here to help

Sorry, very bad very absent minded typo. The correct values I meant to type are as follows.

Vlan1
10.0.0.0/24
10.0.0.1 gateway
8.8.8.8 dns

Vlan2
10.0.5.0/24
10.0.5.1 gateway
8.8.8.8 dns

Vlan3
10.10.0.0/24
10.10.0.1 gateway
8.8.8.8 dns
Chris_M
Getting noticed

Then that will be correct, if set up that way.

 

I would advise you to make sure the trunk port on the TP-Link switch is configured correctly.


Find my post helpful? Please give me a kudo!
CCNP Certified and Meraki Operator
PhilipDAth
Kind of a big deal
Kind of a big deal

Can a host in each VLAN ping the MX IP address in that same VLAN?

SGD
Here to help

Yes each host can ping the mx from its own subnet and the mx from the other two subnets by inter communication.

Chris is starting to convince me it may be my tp switch configuration. I was able to assign taggable ports for vlan2 and vlan3. But I'm locked out from modifying vlan1 from untagged to tagged ports. I'll dive deeper into that issue in the morning to see what the issue might be.

Thanks for both your help today. I'll update the thread on the situation as I unravel it. Thanks again.
MilesMeraki
Head in the Cloud

If you're still unsure if it's the tagging issue a simple packet capture taken from the MX on LAN 1 would be able to prove if that is the case.

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
PresITsupport
Here to help

Maybe this might work.

 

MX LAN port - Trunk native vlan 1 allowed vlans , 2 & 3 or all vlans

 

TP-link port connected to MX - trunk port - pvid 1, tagged 2&3

 

TP-link port connected to patch panel that connects to Vlan 2 device - pvid 2

 

TP-link port connected to patch panel that connects to vlan 3 device - pvid 3

 

Or  you can try

 

MX LAN port connects TP link - Turnk port with native vlan - drop all untagged packets, allowed vlans - 1,2,3

 

TP-link port connects to MX - Trunk port with tag 1,2,3

 

TP-link port connected to patch panel that connects to Vlan 2 device - pvid 2

 

TP-link port connected to patch panel that connects to vlan 3 device - pvid 3

SGD
Here to help

Sorry guys, we got hit with a winter storm and have been shut down. As soon as we are back in swing I'll check that switch and update my post. Thanks again for all the help you provide. 

PresITsupport
Here to help

So, what was the issue?
SGD
Here to help

PresITsupport,vlan2 & 3 were only tagged in the vlan port configuration for some ports used in the switch-chain. A serious noob oversight that you solution helped to solve. Thanks again.
Chris_M
Getting noticed

Glad you were able to solve your network issue!


Find my post helpful? Please give me a kudo!
CCNP Certified and Meraki Operator
PresITsupport
Here to help

Sweet! I'm glad it worked out
SGD
Here to help

I'd like to thank everyone's assistance on this, you have been great help, and a valuable resource. I needed to configure each switch-port used in the switch-chain, as I was only configuring half the chain. Everything works great now. Is it ok to accept

PresITsupport post as solution, since it outlined basically what I was trying to do? Thanks, again everyone.
Chris_M
Getting noticed

@PhilipDAth is correct, your VLAN gateway is misconfigured for VLAN 2 and VLAN 3. A gateway must be within the same subnet as the network. The MX84 can be a gateway for multiple VLAN. It creates an interface for each VLAN, which has its own IP address, thus a gateway for that VLAN.


Find my post helpful? Please give me a kudo!
CCNP Certified and Meraki Operator
Chris_M
Getting noticed

Are you saying you have the following setup:

 

MX80 ---> TP-Link Switch ---> Patch bay?

 

If so, did you confirm the TP-Link switch's port to the MX80 is set up as a dot1q trunk and all vlans allowed?

 

That may be why only vlan 1 is getting internet and the rest not.


Find my post helpful? Please give me a kudo!
CCNP Certified and Meraki Operator
SGD
Here to help

Chris_m, all tp ports are set to trunk but the pvid's are set to 1. Also all ports are set to untagged and unselectable to add tagging. Could this be my problem?
Chris_M
Getting noticed

For your trunk, adding tagged vlan is basically what vlan you allow on the link. Untagged means they remove the tag when they traverse the port. So if you have untagged on all vlan on that port, then they are losing the VLAN ID after they enter the trunk port. Which is why you could do inter-vlan route still but not go out to the internet since the MX could not return the traffic to the right VLAN.

 

So you want to make sure that the port connecting to the MX84 is "tagged' with the 3 vlans you want. I had a similar experience with Brocade switches. Untagged is best for access/edge ports. So you might have to remove the untagged configuration.


Find my post helpful? Please give me a kudo!
CCNP Certified and Meraki Operator
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels