Meraki

Kenneth · ‎Jul 8 2019

So opposed to the other posts on this my problem is the oposite. The MX makes it to simple to get an IP.

at the branch location there are two Vlans (Internal and Secure), when a client that is connected to the Secure Vlan it contacts the domain controller through the route of the internal (because it is shorter) the problem with that is that no clients from the secure Vlan should have contact with the Internal zone. The Secure Vlan has a static route to the domain controller through a IPsec tunnel (AutoVPN) then two FW and static routes in the data center.

Is there any way to limit the DHCP relay to not traversing several Vlan? If not what other trafic can be subject to crossing Vlans without my knowledge (since the MX seems to choose lowest cost path)

PhilipDAth · ‎Jul 9 2019

>follow the static route set for the respective VLANS

Static routes are global - they are not defined per VLAN, such as with VRFs.

View solution in original post

BrechtSchamp · ‎Jul 8 2019

The dhcp relay option can be specified per vlan so you have full control over that. You can also use the L3 firewall to limit traffic between vlans.

Or did I misinterpret the question?

Kenneth · ‎Jul 8 2019

Well as far as I can see there is NO possibility to limit the DHCP relay in Meraki, there are three options:.

- Do not relay

- USE Meraki DHCP

- Relay DHCP to...

1. option does not work since the DC is in another vlan,

2. option is not an option at all - du to internal policy and security features outside Meraki

3. option seems to broadcast on all vlans and then choose the shortest path.

BrechtSchamp · ‎Jul 8 2019

Those are indeed the options. I'm talking about the third one. The way I see it is, on the VLANs for which DHCP relay is activated, the MX will listen for DHCP requests. When it sees one it relays the request to the DHCP server (the IP address) you specified. Any broadcasts taking place during this process are L2 broadcasts which would normally take place during the normal DHCP procedure too.

What broadcast are you referring to?

Kenneth · ‎Jul 9 2019

Well since we have two routes I would like to see that all DHCP request follow the static route set for the respective VLANS, at the moment DHCP relay for the Secure sone learns the route from the routing table and goes through the unsecure sone before the client gets put in the correct vlan. (the MX relays across all VLANS)

As of such it is not a problem, but it makes the architecht unsure of what other trafic might learn the same route without us knowing.

PhilipDAth · ‎Jul 9 2019

>follow the static route set for the respective VLANS

Static routes are global - they are not defined per VLAN, such as with VRFs.

Kenneth · ‎Jul 25 2019

Yes we found so to, and we are looking into another design at this point. - got some great help from Meraki SE though.

PhilipDAth · ‎Jul 9 2019

If I understand correctly their is a single DHCP server at the DC.

There can only be a single route to that single destination, which the MX is using. However you want one VLAN to use the AutoVPN tunnel and the other to use some other path outside of AutoVPN.

The only way I can think of to make this work is to have two DHCP servers. One for the secure network which is advertised into AutoVPN, and one of the internal network which isn't. Then just DHCP relay to the appropriate DHCP server.

It really sounds like you should be using two DHCP servers anyway considering the security seperation you have specified.

Meraki

Community

Limit DHCP relay

Limit DHCP relay