We have a client with a Meraki MX84, they have a number of vlans that are correctly configured on the appliance as per the Meraki documentation.
The Vlan's will route from the external interface but will not route internally. Any help as to why please ?
HI @ChrisTownsend ,
By default an MX will route inter-VLAN traffic on the configured LANs, so if yours is not then I would start looking at firewall rules and move out from there. I would suggest checking all rules under Security & SD-WAN > FIrewall first, and then check any Group Policies that may exist, and where they are applied.
We've checked the firewall and even have added two rules to permit all traffic between two vlans for no effect. There are no firewall rules blocking vlan routing and no GP's that affect routing. (only a block on Bonjour).
The switches all managed Dell's all have Trunk ports enabled. All of the devices regardless of vlans (ie cabled or wireless connections) can route to the internet, just not internally
We have a NAS on a VLAN, On the same subnet I can ping tracert and browse to it via smb and html. On any other VLAN I cannot, the tracert stops at the Meraki.
Are you able to use the packet capture feature to verify what is happening? You should be able to see a packet ingress and egress the MX.
My hunch is that there's a misconfiguration between the MX and the Dell switches with regards to VLAN tagging... Are you able to post the port config of the MX and the connected Dell switchports?
Alternatively, could Spanning Tree be in play here? Do you have multiple links between a single switch and the MX?
We have a Dell Interconnect 7048P as the top level distribution switch, connecting to two separate stacks of 2 x Dell N1548P's, that are spaced on a couple of floors. The server is plugged into the 7048P, the NAS is plugged into one of the 1548P stacks. There are no recursive loops in the network. The server is on VLAN 13 (10.64.13.0/24) the NAS on VLAN 1 (192.168.10.0/24).
>The Vlan's will route from the external interface but will not route internally.
You can not route from the WAN interface to the inside - only the other way around. Traffic from a LAN interface to a WAN interface will be NATed with the WAN interface IP address.
Does the NAS have the correct default gateway configured, this could cause the problem you are seeing. The NAS could also have an access list set on it for the local subnet only. It is easier to check inter VLAN routing with a PC in each one and preferably use DHCP on both.
All devices are correctly configured, the NAS has the correct gateway set for it's vlan (it's statically assigned). The meraki is handling dhcp for all the attached vlans
Do you have L3 switching enabled?
Do a packet capture on your trunk port on the MX84 which is connected to the core switch. When you try to ping across the VLANs, is any traffic reaching the MX84?
As a last resort, can you assign two ports on the MX84 as access ports to different VLANs and try pinging between them?
I'm guessing there's a routing or ACL issue somewhere in your switch stack.
Just in case someone else runs into this, when your troubleshooting disable this in the firewall
IP Source Address spoofing protection
change to LOG if you have a dup subnet that worked in the past, the MX might think it's spoofing a subnet on the MX.