Meraki

Community

MX64W

Solved
Dudley5526
Here to help
‎Nov 26 2024 2:37 PM
‎Nov 26 2024 2:37 PM

MX64W

I have a site-to-site VPN using a MX250 as the hub and a MX64W as a spoke.  The MX64W is connected to the network using a CAT6 cable connected to an MS120 switch in the main network closet.  Wireless connections on the MX64W receive dhcp addresses from the vlan setup on the MX64W and are able to access the Internet.  There are 4 ports on the MX64W and I don't get any connectivity.  Where should I look?

0 Kudos
1 Accepted Solution
In response to Dudley5526
RWelch
Kind of a big deal
Kind of a big deal
‎Dec 4 2024 12:31 PM
‎Dec 4 2024 12:31 PM

Your MX uplink will be the IP address it obtains dynamically from the ISP.  I would NOT change that unless they suggest you do so.  The MX uplink will be different than the LAN IP address because the LAN VLANs and subnets are internal.  The MX uplink should remain WAN (external) and not LAN (internal).

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

0 Kudos
16 Replies 16
RWelch
Kind of a big deal
Kind of a big deal
‎Nov 26 2024 3:35 PM
‎Nov 26 2024 3:35 PM

Per-PortVLANSettings.png

Dashboard > Security & SD-WAN > Configure > Addressing & VLANs
Then look at Per-Port VLAN Settings for the additional ports on your MX64W

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to RWelch
Dudley5526
Here to help
‎Nov 27 2024 12:06 PM
‎Nov 27 2024 12:06 PM

I changed Port 4 from drop untagged traffic to Native Vlan, and it disappeared.  How do I get it back?
This is the other 3
Dudley5526_1-1732737718247.png

 


 

This is the Site-to-Site VPN settings. Are they correct?
Dudley5526_2-1732737759096.png
I inherited this network.  I've had to untangle other setups.

 

 
Thank you for your help!
0 Kudos
In response to Dudley5526
RWelch
Kind of a big deal
Kind of a big deal
‎Nov 27 2024 12:22 PM
‎Nov 27 2024 12:22 PM

The VPN setting for either 192 subnet would need to be enabled on the spoke (MX64W) to be able to go to the HQs hub which is checked as the default route.

 

what ever you toggle on for VPN enabled (192 subnet) would be set as access vlan on the MX port for clients.

 

the downlink to the ms120 would typically have a native vlan for management of the switch plus whatever 192 subnets your clients use.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Dudley5526
RWelch
Kind of a big deal
Kind of a big deal
‎Nov 27 2024 12:26 PM
‎Nov 27 2024 12:26 PM

The default 192 subnet is likely the native vlan (set trunk downlink to ms120 as that vlan) and in the allowed vlans on the downlink allow both the native vlan and client vlan.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
Dudley5526
Here to help
‎Dec 2 2024 11:51 AM
‎Dec 2 2024 11:51 AM

Good afternoon Rwelch!

I enabled the default VPN settings on the spoke.  

 

The default 192 subnet is likely the native vlan (set trunk downlink to ms120 as that vlan) and in the allowed vlans on the downlink allow both the native vlan and client vlan.

How do I set the trunk downlink to the MS120 as that vlan? 

This is the port on the MS120

Dudley5526_0-1733168938088.png

 

0 Kudos
In response to Dudley5526
RWelch
Kind of a big deal
Kind of a big deal
‎Dec 2 2024 11:59 AM
‎Dec 2 2024 11:59 AM

What are your VLAN numbers (Security & SD-WAN > Configure > Addressing & VLANs under Routing)

IF your default VLAN subnet 192.168.125 is likely the  default VLAN (say it's VLAN # is 125) and your client VLAN 192.168.2 (say it's VLAN # is 2) you would set it as:

Native VLAN = 125
Allow VLANs = 2,125 (allow vlan 2 comma vlan 125)



You would also need to configure the trunk UPLINK on the MS120 to reflect the same (STP disabled on the TRUNK uplink to the MX)

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to RWelch
Dudley5526
Here to help
‎Dec 4 2024 11:00 AM
‎Dec 4 2024 11:00 AM

Routing VLANS on MX

 

Dudley5526_0-1733338607099.png

 

 

0 Kudos
In response to Dudley5526
RWelch
Kind of a big deal
Kind of a big deal
‎Dec 4 2024 11:07 AM
‎Dec 4 2024 11:07 AM

VLAN1 would be the only default VLAN (subnet) on the local MX.  The Client VLAN or VPN option would be external clients connecting to your SPOKE.

Your MX port downlink and MS port would remain the same as you have it set native VLAN1 and allow VLANs to all.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to RWelch
Dudley5526
Here to help
‎Dec 4 2024 11:04 AM
‎Dec 4 2024 11:04 AM

I disabled RSTP on the uplink on the MS120

Dudley5526_1-1733338886113.png

 

0 Kudos
In response to Dudley5526
RWelch
Kind of a big deal
Kind of a big deal
‎Dec 2 2024 12:03 PM
‎Dec 2 2024 12:03 PM

Screenshot 2024-12-02 at 14.01.05.png

You would also want to double check the native VLAN and make sure it's set correctly under Switching > Configure > Switch Settings under the VLAN Configuration.

All must align correctly for the management VLAN.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to RWelch
Dudley5526
Here to help
‎Dec 4 2024 11:07 AM
‎Dec 4 2024 11:07 AM

The Switch settings on the hub VLAN configuration: Management VLAN is 1

I don't have any switches on the spoke

0 Kudos
In response to Dudley5526
RWelch
Kind of a big deal
Kind of a big deal
‎Dec 4 2024 11:10 AM
‎Dec 4 2024 11:10 AM

Screenshot 2024-12-04 at 13.09.36.png

RSTP should remain enabled.  For the MS120 uplink to the MX you would put STP Guard to disabled because the MX doesn't participate in STP.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to RWelch
Dudley5526
Here to help
‎Dec 4 2024 12:26 PM
‎Dec 4 2024 12:26 PM

I re-enabled RSTP; the STP guard was already set to disable.

 

Should the MX Uplink be set to Dynamic? Its IP address is different than the VLAN.  It also set as a WAN, should it be a LAN

Dudley5526_0-1733343818279.png

 

0 Kudos
In response to Dudley5526
RWelch
Kind of a big deal
Kind of a big deal
‎Dec 4 2024 12:31 PM
‎Dec 4 2024 12:31 PM

Your MX uplink will be the IP address it obtains dynamically from the ISP.  I would NOT change that unless they suggest you do so.  The MX uplink will be different than the LAN IP address because the LAN VLANs and subnets are internal.  The MX uplink should remain WAN (external) and not LAN (internal).

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to RWelch
Dudley5526
Here to help
‎Dec 4 2024 1:25 PM
‎Dec 4 2024 1:25 PM

Thank you for all of your help.  VPN was enabled on VLAN1 on the MX but the Client VPN Server was disabled.  I disabled the VPN mode on the VLAN and the device that was in port one obtained an IP address from the MX's DHCP.

Couldn't have figured it out without you.

In response to Dudley5526
RWelch
Kind of a big deal
Kind of a big deal
‎Dec 4 2024 1:27 PM
‎Dec 4 2024 1:27 PM

Glad it worked out for you @Dudley5526 👏👏👏

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.