Hi Philip, thanks for your answer.

I'm applying the GP to the VLAN.

 

Regards.

David 

Hi Fady. Thanks for your comnents.

 

The policy group are applied under each Vlan, I also restart de MX but same result.

 

The content filtering only works if I apply the group policy per client.

 

The switch C4507 acts as a DHCP server for all the Vlans.

 

I hope you have some clue.

 

Regards.

 

David Lima.

 

 

A bit of a long shot, but try upgrading to 14.x code train.  It had some changes to do with content filtering in it a while back.

 

Do these clients use the MX as their default gateway?

Hi Philip, thanks for your time.

 

I think i found something:

 

1. When our Cisco Switch C4507 acts as a DHCP server.

    - The MX client monitor tool, shows the following for a client that is configured in a vlan 118: 

Network
IPv4 address:	10.2.118.40
MAC address:	88:5a:92:27:a7:ff
VLAN:	1 — Default
Port forwarding:	none
1:1 NAT IPs:	none

   - The result is that the user can Access Internet without restriction because Vlan1 hasn't a group policy applied.

 

1. When MX100 acts as a DHCP server.

    - The MX client monitor tool, shows the following for a client that is configured in a vlan 118: 

Network
IPv4 address:	10.2.118.84
MAC address:	70:28:8b:e6:dd:8d
VLAN:	118 — Vlan118-TI
Port forwarding:	none
1:1 NAT IPs:	none

  - The result is OK, because the user can Access to Internet and is limited by the group policy applied per VLAN.

 

I don't know if DHCP configured in our switch C4507 need an special code, like phones (option 150).

 

Any advice will be appreciated.

 

Regards.

David Lima. 

 

 

 

I would move the DHCP onto the MX.  You can configure the MX to give out option 150 like on the 4500.

Hi Philip, thanks for your suggestion.

 

In a production environment, It will be a Little hard because I have almost 60 Vlans. I think there should be a way to keep the C4507 as a DHCP server.

 

If you have any suggestion, please let me know.

 

Have a great weekend.

 

David Lima.

Hey mate

 

You might need to check if you configured you switch ports to your users as Access or Trunk and Also, we need to make sure that users are located in the right VLAN. 

I suspect, its VLAN assignment issue. Also, are you using Data and Voice VLANs?

Hi Fady, thanks for your time to answer.

I can confirm that the switch port that is connected to the MX is configured as a trunk mode.
I think the connection is simple:

Internet --- MX100 ---- C4507(DHCP)---PC

I have 5 Vlans created and this issue is happening with every vlan created in MX100.

If DHCP is MX100, the PC is tagged correctly to each Vlan and content filtering is working perfectly. But I want that C4507 acts as a DHCP server for all my network.

Also, the C4507 is the default Gateway for the PCs.

 

--- C4507E ---
ip dhcp pool VlanTI
 network 10.2.118.0 255.255.255.0
 default-router 10.2.118.51
 option 150 ip 10.2.100.10
 dns-server 10.2.0.102

 

interface GigabitEthernet1/22
 description -- MERAKI MX100 --
 switchport mode trunk
 no logging event link-status

 

interface GigabitEthernet1/36
 switchport access vlan 118
 switchport mode access
 no logging event link-status

 

I've opened a Case 02890362 If you want to take a look for more details.

Best regards.
David Lima.

When doing DHCP on the 4500 for the specific VLANs - have you made the default gateway the MX?  Otherwise the MX will see the traffic as coming from the 4507 - and not from your clients.

Actually, the source and destination IPs won't change so the MX will still see the traffic coming from the hosts IP but the MAC address of the switchport. But you are right, that we need to point the default gateway to the MX in order for the policy to be attached.

>Actually, the source and destination IPs won't change so the MX will still see the traffic coming from the hosts IP but the MAC address of the switchport.

 

Remember, by default, group policy and client tracking is applied based on MAC address not IP address ...

Agreed, but because we are using Layer 3 switch, we should use IP tracking.

Great Point @Philip

>Agreed, but because we are using Layer 3 switch, we should use IP tracking.

 

If the default gateway in DHCP is pointed to the MX for the clients then everything will be at layer 2.

Correct, that is why I asked to point the default gateway to MX or the other option, to track users by IP and keep the default gateway to be the switch.
Both scenarios should allow the group policy to be applied correctly.

Hello Fady and Philip. First of all, I want to thank your time to both of you.

 

Here is an update:

Regarding your suggestions:

•  Keep the switch as your DHCP. (Done)
•  Configure the MX and switch connection to be trunk. (Done)
•  Have the VLANs also configured on the MX. (Yes, done)
•  Use the default gateway to the MX. (It Works if the default Gateway is the MX, but my goal is to keep the C4507 as the default gateway)
•  Then apply the group policy. (Done)
• Tracked users by IP address (Done)

RESULT: The group policy applied per Vlan is still not working :(.

 

Please see the diagram picture.

 

The Switch C4507 has an ip default route pointing to MX Vlan1 IP address (10.2.0.19):
ip route 0.0.0.0 0.0.0.0 10.2.0.19.

 

If I change the ip route to point to MX Vlan118 IP address (10.2.118.19):

ip route 0.0.0.0 0.0.0.0 10.2.118.19.

Then, the policy group applied for the Vlan 118 Works fine. 

 

As a temporal test, I'm doing a route-map for Vlans 1, 113, 118, so the next hop will be the MX Vlan ip address. The first result is that the group policy applied per Vlan is working.

Vlan 1: 10.2.0.0/24 -> Next hope 10.2.0.19
Vlan 1: 10.2.113.0/24 -> Next hope 10.2.113.19
Vlan 1: 10.2.118.0/24 -> Next hope 10.2.118.19

 

Weird? I know, but I can't find another way to make it work if I want to keep the C4507 as the default Gateway.
Any suggestion will be very appreciated.
Very best regards.

 

David Lima.

 

 

What you will find is when you are using the 4500 as the default gateway it will forward the traffic based on its default route.  This will always be done via the VLAN that the default gateway is via - not the VLAN that the traffic originated in.

 

As a result, the MX can no longer see the VLAN that the client traffic came from.

 

 

You could potentially use policy routing on the 4500 to overcome this, but it is a lot of work and complexity.

Hi Philip, I'm completely agree with you. Use routing policy  is a lot of work.

I also have a case opened with Meraki.

 

I'm still waiting an update if there is a way to overcome this, I mean if there is way to keep the C4507 as a default Gateway.

I'll keep in touch with you.

Regards.

David Lima.

Can I ask, why you need the default gateway to be the switch?

Hello Fady, of course you can.

 

Currently, our Switch C4507(with redundant Sup) acts as a DHCP server, default Gateway and ip routing.

It has almost 30 Vlans, It has connected 3 MPLS Firewalls and 10 remote sites through fiber optic.
Well, I can say that it is our core switch for my network.

 

Your suggestions are always very welcome.

 

Regards.

 

David Lima.

 

 

 

I guess the question I have here, do you have a lot of inter-VLAN communication across those 30 VLANs?

Thanks for the details.

 

Here is how to solve the problem

•  Keep the switch as your DHCP.
•  Configure the MX and switch connection to be trunk.
•  Have the VLANs also configured on the MX.
•  Use the default gateway to the MX.
•  Then apply the group policy.

That should work, let me know if it doesn't