MX100 DHCP/vlan question

SOLVED
leadtheway
Building a reputation

MX100 DHCP/vlan question

Have a somewhat odd setup. Internet comes in and hands off to a MS350 via a /30 and /29 subnet.  /29 being usable and in a DMZ vlan on that switch and the 30 in another vlan with the ISP equipment in it.  I have an ASA plugged into on of the /29 ports (irrelevant, just info) and a meraki MX100 in another.  Both work fine. I have one of the ports on the MS350 plugged into an ethernet port on the MX100 thats getting default DHCP for management so the MS350 can get out.Thanks to @BrechtSchamp for helping with the setup.  So basically we are cutting over from a MSP to self hosted solution, so everything is  being setup parallel.  Problem is, DHCP server is on the old equipment.  Have basically 5 vlans that need to be setup in the new environment. My question is two fold..

 

one. Can i setup those vlans on the MX and have it handle DHCP as well for each vlan? will it know how to do the tagging or will i need to put a windows DHCP somewhere on the network?  Second, if i do that, can i turn that access port going to the MS to a trunk and be able to put other ports in access mode for a specific vlan and have the MX be able to give out the correct subnet address?

1 ACCEPTED SOLUTION

Let's take an example. Imagine a client in the 10.10.100.0/24 subnet, he doesn't know about VLANs, so he needs an access port on the MS. Imagine we use VLAN 100 for it.

 

  • Set the port to which the client is connected to access for VLAN 100:

switch_vlan_config.PNG

  • Then we need to reach the MX, we'll transfer all client VLANs over a single link so that will need to be a trunk. You can indeed set the trunk so that all VLANs are allowed:

switch_vlan_config_trunk.PNG

 

On the other end, the MX you'll have the client VLANs defined, here's an example for one of the VLANs. 10.10.100.254 will be the MX's IP address and default gateway for the clients:

MX_vlan_config.PNG

By default the ports on the MX are already configured as trunks with all VLANs allowed so no changes are necessary there:

MX_vlan_port_settings.PNG

 

 

This will make that the broadcast domain for the 10.10.100.0/24 network includes: the access port, the trunk port on the MS, the trunk port on the MX.

 

View solution in original post

8 REPLIES 8
BrechtSchamp
Kind of a big deal

Well there are two aspects to this, depending on whether the MX participates in the VLAN or not (i.e. depending on whether it has an IP in it itself).

 

This picture below shows what the DHCP server settings look like for one of the VLANs I have defined. It will have such a section for each VLAN defined on the MX:

 

MX-dhcp.PNG

 

Now for the second aspect, VLANs that are only known on the MS, then the MX won't be present on those VLANs. It can still be DHCP server for those VLANs though. To make that happen you need to tell the MS to forward (Relay DHCP to another server) all DHCP requests towards the MS in Switch > Configure > Layer 3 routing.

On the MX there will be a static route for those VLANs pointing to the MS as next hop. For the subnets that the MX has static routes for, it will also have a section in the DHCP server. It looks very similar:

MX-dhcp-static-route.PNG

Regarding your tagging question, basically in the first case the MX will know based on the Addressing & VLANs configurations where to send (which interface) and how to tag the responses for received DHCP requests.

 

In the second case the response needs to be sent back to the MS, again, based on the Addressing & VLANs section it will tag the response appropriately and send it out the correct interface so it reaches the MS.

 

More info here:

https://documentation.meraki.com/MS/Layer_3_Switching/Configuring_DHCP_Services_on_the_MX_and_MS

https://documentation.meraki.com/MX/DHCP/DHCP_Services

leadtheway
Building a reputation

Ok I've setup the vlans on the MX and gave it an IP, So for the local network, the MX will be the DFGW.  I also have DHCP setup for each vlan.  There is a trunk port connected from the MX to the MS with all vlans allowed.  So you're saying i just need to setup the helper on the 350 so that ports assigned a particular vlan will get the respective DHCP address.  This is where it gets confusing because of using the MS as a layer 3 for the edge and still needing to use the rest of the ports for access for the local network

Actually no. As far as I understood, you don't have VLANs on the MS that the MX doesn't know about. So helper/relay is not necessary. The client will broadcast the DHCP discover. Through the trunk that broadcast should reach the MX on its own, without relay. It's only when the MX doesn't have an IP address in the client's subnet that relay is needed.

leadtheway
Building a reputation

so the way its setup now should work? the MX will advertise the vlans over the trunk port?

Let's take an example. Imagine a client in the 10.10.100.0/24 subnet, he doesn't know about VLANs, so he needs an access port on the MS. Imagine we use VLAN 100 for it.

 

  • Set the port to which the client is connected to access for VLAN 100:

switch_vlan_config.PNG

  • Then we need to reach the MX, we'll transfer all client VLANs over a single link so that will need to be a trunk. You can indeed set the trunk so that all VLANs are allowed:

switch_vlan_config_trunk.PNG

 

On the other end, the MX you'll have the client VLANs defined, here's an example for one of the VLANs. 10.10.100.254 will be the MX's IP address and default gateway for the clients:

MX_vlan_config.PNG

By default the ports on the MX are already configured as trunks with all VLANs allowed so no changes are necessary there:

MX_vlan_port_settings.PNG

 

 

This will make that the broadcast domain for the 10.10.100.0/24 network includes: the access port, the trunk port on the MS, the trunk port on the MX.

 

leadtheway
Building a reputation

yep already tested and it appears to be working.. Just getting used to how Meraki does things.  Its pretty simple once you get the hang of it..Thanks !

leadtheway
Building a reputation

Just a followup, so if i plug in another MS switch or  stack and the  uplink is trunk should it go to the MS switch or the MX or does it matter?

Doesn't really matter, both will work. But of course there are nuances. If you hook it up to the MS then it becomes an an extra point of failure, the MX can go down and the MS can go down, but you don't have to use an extra MX port.

 

In a real highly available (and larger deployments) design you'd have two MXs (one in Warm spare), then two L3 switches in VRRP (likely fiber switches like the MS410 or up) and then have all your access stack double uplinked to that duo of L3 switches.

 

Also, in your current design the routing is done by the MX. In larger deployments, if a lot of inter-VLAN traffic is expected sometimes an extra L3 layer is better. In that case the central MS would actually become router instead of the MX. But then you need the DHCP relay thing and a static route for the VLANs you're going to route on the MS. But I don't want to overcomplicate your setup...

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels