MX250 Static Routing Issues

ECI_Adelaide
Conversationalist

MX250 Static Routing Issues

I am in the process of replacing our entire core network with brand new Meraki Equipment. Before I can do the rest of the network I need to replace the router so we can use our new fibre connection we have and turn the old copper WAN one off. Right now we use a very dated checkpoint appliance which has been there for years and years but only capable of 100mbps where we now hvae a 1Gbps connection.

 

I have setup the new WAN link through the new MX250 one might say the easy bit. I have patched in Port3 in the MX250 directly into our exisiting (and old) HP Aruba core stack and ensured that its a trunk port at both ends so everything should flow. 

 

On our HP network we have address ranges with 10.1.1 and 10.1.5 and 10.1.21 and 10.60.2 and 10.100.1 as well as 172.17.4 and 172.17.20 and 172.17.21 and 172.17.99 and 172.17.99.100

 

I have a few questions on how best to achieve what we need right now. Do I use routed mode or Passthrough? Single LAN or VLAN given the situation?

 

Also:

 

  1. The checkpoint has a static IP of 172.17.99.1 and yet the MX250 doesn't so I am not sure what to use when setting up the routes (I can see that all our switches can have an IP set in them, why not the MX appliance?)
  2. Could the VLAN setup inside the HP Aruba core be causing issues?
  3. Should we setup our entire stack with MX250, MS425-16, MS355-48x and edge switches of MS255-48FP rather than messing with integration first into the HP Aruba?
7 Replies 7
ww
Kind of a big deal
Kind of a big deal

The mx can only assign  ip  to vlans.

So put the mx in routed mode and enable vlans. 

Then assign(or change) the vlan ip to "172.17.99.×"  . 

You can use that vlan on a port (3) as untagged/native vlan.

 

Then you can set static routes, or create more vlans if you want the mx to do the routing between those vlans

ECI_Adelaide
Conversationalist

Thanks @ww 

 

2 follow up questions if I may. 

 

  1. I assume that like most routers the gatway IP can be set as any IP in that range such as x.x.x.254?
  2. With the static route the next hop should be the IP of the mx250 appliance? (checkpoint has the IP of the checkpoint in it) but I cannot find a way to set an IP on the mx250.....

 

thanks in advance

ww
Kind of a big deal
Kind of a big deal

ECI_Adelaide
Conversationalist

thanks @ww - im getting there finally.

 

this is what the old system had in it 

ECI_Adelaide_0-1612123698833.png

 

I setup a basic route to cover 10.1.21.x and 10.1.1.x which the majority of our devices live on.

ECI_Adelaide_1-1612124755681.png

 

if I VPN into the mx250 I can ping the items but they are servers with web interfaces which won't work. I cannot even RDP into a server that has address 10.1.1.19. thoughts?

Bruce
Kind of a big deal

@ECI_Adelaide looking at your old route list I’d suggest that your Aruba switches are doing the bulk of the routing, not the Checkpoint.

 

It appears that you should have a transit VLAN (likely VLAN 1) between the MX250 and Aruba switches, this is 172.19.99.0/24. The Aruba core will have an address in this subnet (maybe 172.19.99.1), and the MX will need to have another on its VLAN 1 (e.g. 172.19.99.2). You then need to set static routes on the MX for all the VLANs that come off the Aruba core - e.g. destination 10.1.0.0/16 is via the transit VLAN, so the next hop would be 172.19.99.1 (or whatever the address in the transit VLAN on the Aruba stack is). You’ll also need to make sure that the MX keeps the same IP address as the Checkpoint had in the transit VLAN, or update the default route on the Aruba stack to point to the new IP address of the MX on the 172.19.99.0/24 subnet.

 

It’s not an overly complex task to configure, but you need to have a sound understand IP addressing and routing.

ECI_Adelaide
Conversationalist

hi @Bruce thanks for your suggestions and advice.

 

In checking the checkpoint is 172.17.99.2 and the Aruba Core is 10.1.1.1 so a little different. I assume the theory is still the same in that the:

 

I should set default vlan on MX to 172.17.99.0/29 with IP 172.17.99.3 then do routes such as:

 

ECI_Adelaide_0-1612164566487.png

 

And then for testing set the default gateway on the Aruba stack to 172.17.99.3 from 172.17.99.4 

 

Bruce
Kind of a big deal

I’m pretty sure on the Aruba stack you’ll find VLAN 99 configured with address 172.17.99.1. If not then you should find where 172.17.99.1 is, as that seems to be doing most of your routing.

 

As you said, you can create VLAN 99 (make sure the MX is in VLANs mode, not single VLAN) on your MX with the IP address of 172.17.99.3/24 - assuming nothing else is using it - which will make testing easy, followed by replacement of the Checkpoint. You then need the switch port on the MX that will connect to the Aruba stack configured the same way as the port on the Aruba stack that connects to the MX - I would tend to go with a trunk, native (or untagged) VLAN as 99, allow all VLANs.

 

Your static routes on the MX should have a gateway IP of 172.17.99.1, so that traffic that is intended for the remote VLANs is sent to the next hop - which should be the same next hop that the Checkpoint currently uses (probably the Aruba stack). Then as you say you can test by changing the Default Route on the Aruba stack to 172.17.99.3 (it’s probably currently pointing to the Checkpoint on 172.17.99.2). You can test by trying to Ping the MX (172.17.99.3) from your 10.1.1.0/24 Corporate network, if that works you’re heading the right way.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels