Meraki MX and trunk port

David-Lima
Here to help

Meraki MX and trunk port

Hello all.

I'm testing MX features like content filtering.

I have a MX100 connected to a WS-C4507 and the ports are configured as a trunk mode.

I had created 4 vlans in Meraki MX100 (1-native, 111,112 and 113)

I had created 1 group policy to deny adult, social network, email, abortion, phishing content.

Finally I applied this group policy to all Vlans.

 

The issue is that group policy is working only for Vlan 1, all the other Vlans has internet access without restriction.

 

I don't know if I'm missing or I need to enable something else so the group policy can work for all the VLANS in the same way.

 

Best regards.

 

David Lima. 

23 Replies 23
PhilipDAth
Kind of a big deal
Kind of a big deal

Are you applying the group policy to the VLANs or individual clients?

David-Lima
Here to help

Hi Philip, thanks for your answer.

I'm applying the GP to the VLAN.

 

Regards.

David 

Fady
Meraki Employee
Meraki Employee

Can you make sure to apply the group policy that you created to each VLAN manually under VLAN and Addressing menu.

Also, if you want to apply this policy to all VLANs, then you can use the global policy on the MX which will get applied to all VLANs by default. 

Screen Shot 2018-08-10 at 4.16.59 PM.png

David-Lima
Here to help

Hi Fady. Thanks for your comnents.

 

The policy group are applied under each Vlan, I also restart de MX but same result.

 

The content filtering only works if I apply the group policy per client.

 

The switch C4507 acts as a DHCP server for all the Vlans.

 

I hope you have some clue.

 

Regards.

 

David Lima.

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

A bit of a long shot, but try upgrading to 14.x code train.  It had some changes to do with content filtering in it a while back.

 

Do these clients use the MX as their default gateway?

David-Lima
Here to help

Hi Philip, thanks for your time.

 

I think i found something:

 

1. When our Cisco Switch C4507 acts as a DHCP server.

    - The MX client monitor tool, shows the following for a client that is configured in a vlan 118: 

Network
IPv4 address:10.2.118.40
MAC address:88:5a:92:27:a7:ff
VLAN:1 — Default
Port forwarding:none
1:1 NAT IPs:none

   - The result is that the user can Access Internet without restriction because Vlan1 hasn't a group policy applied.

 

1. When MX100 acts as a DHCP server.

    - The MX client monitor tool, shows the following for a client that is configured in a vlan 118: 

Network
IPv4 address:10.2.118.84
MAC address:70:28:8b:e6:dd:8d
VLAN:118 — Vlan118-TI
Port forwarding:none
1:1 NAT IPs:none

  - The result is OK, because the user can Access to Internet and is limited by the group policy applied per VLAN.

 

I don't know if DHCP configured in our switch C4507 need an special code, like phones (option 150).

 

Any advice will be appreciated.

 

Regards.

David Lima. 

 

 

 

 
 
PhilipDAth
Kind of a big deal
Kind of a big deal

I would move the DHCP onto the MX.  You can configure the MX to give out option 150 like on the 4500.

David-Lima
Here to help

Hi Philip, thanks for your suggestion.

 

In a production environment, It will be a Little hard because I have almost 60 Vlans. I think there should be a way to keep the C4507 as a DHCP server.

 

If you have any suggestion, please let me know.

 

Have a great weekend.

 

David Lima.

Fady
Meraki Employee
Meraki Employee

Hey mate

 

You might need to check if you configured you switch ports to your users as Access or Trunk and Also, we need to make sure that users are located in the right VLAN. 

I suspect, its VLAN assignment issue. Also, are you using Data and Voice VLANs?

David-Lima
Here to help

Hi Fady, thanks for your time to answer.

I can confirm that the switch port that is connected to the MX is configured as a trunk mode.
I think the connection is simple:


Internet --- MX100 ---- C4507(DHCP)---PC


I have 5 Vlans created and this issue is happening with every vlan created in MX100.

If DHCP is MX100, the PC is tagged correctly to each Vlan and content filtering is working perfectly. But I want that C4507 acts as a DHCP server for all my network.

Also, the C4507 is the default Gateway for the PCs.

 

--- C4507E ---
ip dhcp pool VlanTI
 network 10.2.118.0 255.255.255.0
 default-router 10.2.118.51
 option 150 ip 10.2.100.10
 dns-server 10.2.0.102

 

interface GigabitEthernet1/22
 description -- MERAKI MX100 --
 switchport mode trunk
 no logging event link-status

 

interface GigabitEthernet1/36
 switchport access vlan 118
 switchport mode access
 no logging event link-status

 

I've opened a Case 02890362 If you want to take a look for more details.

Best regards.
David Lima.

PhilipDAth
Kind of a big deal
Kind of a big deal

When doing DHCP on the 4500 for the specific VLANs - have you made the default gateway the MX?  Otherwise the MX will see the traffic as coming from the 4507 - and not from your clients.

Fady
Meraki Employee
Meraki Employee

Actually, the source and destination IPs won't change so the MX will still see the traffic coming from the hosts IP but the MAC address of the switchport. But you are right, that we need to point the default gateway to the MX in order for the policy to be attached.
PhilipDAth
Kind of a big deal
Kind of a big deal

>Actually, the source and destination IPs won't change so the MX will still see the traffic coming from the hosts IP but the MAC address of the switchport.

 

Remember, by default, group policy and client tracking is applied based on MAC address not IP address ...

Fady
Meraki Employee
Meraki Employee

Agreed, but because we are using Layer 3 switch, we should use IP tracking.

Great Point @Philip
PhilipDAth
Kind of a big deal
Kind of a big deal

>Agreed, but because we are using Layer 3 switch, we should use IP tracking.

 

If the default gateway in DHCP is pointed to the MX for the clients then everything will be at layer 2.

Fady
Meraki Employee
Meraki Employee

Correct, that is why I asked to point the default gateway to MX or the other option, to track users by IP and keep the default gateway to be the switch.
Both scenarios should allow the group policy to be applied correctly.
David-Lima
Here to help

Hello Fady and Philip. First of all, I want to thank your time to both of you.

 

Here is an update:

Regarding your suggestions:

  •  Keep the switch as your DHCP. (Done)
  •  Configure the MX and switch connection to be trunk. (Done)
  •  Have the VLANs also configured on the MX. (Yes, done)
  •  Use the default gateway to the MX. (It Works if the default Gateway is the MX, but my goal is to keep the C4507 as the default gateway)
  •  Then apply the group policy. (Done)
  • Tracked users by IP address (Done)

RESULT: The group policy applied per Vlan is still not working :(.

 

Please see the diagram picture.

 

The Switch C4507 has an ip default route pointing to MX Vlan1 IP address (10.2.0.19):
ip route 0.0.0.0 0.0.0.0 10.2.0.19.

 

If I change the ip route to point to MX Vlan118 IP address (10.2.118.19):

ip route 0.0.0.0 0.0.0.0 10.2.118.19.

Then, the policy group applied for the Vlan 118 Works fine. 

 

As a temporal test, I'm doing a route-map for Vlans 1, 113, 118, so the next hop will be the MX Vlan ip address. The first result is that the group policy applied per Vlan is working.

Vlan 1: 10.2.0.0/24 -> Next hope 10.2.0.19
Vlan 1: 10.2.113.0/24 -> Next hope 10.2.113.19
Vlan 1: 10.2.118.0/24 -> Next hope 10.2.118.19

 

Weird? I know, but I can't find another way to make it work if I want to keep the C4507 as the default Gateway.
Any suggestion will be very appreciated.
Very best regards.

 

David Lima.

 

Network diagram.png

 

PhilipDAth
Kind of a big deal
Kind of a big deal

What you will find is when you are using the 4500 as the default gateway it will forward the traffic based on its default route.  This will always be done via the VLAN that the default gateway is via - not the VLAN that the traffic originated in.

 

As a result, the MX can no longer see the VLAN that the client traffic came from.

 

 

You could potentially use policy routing on the 4500 to overcome this, but it is a lot of work and complexity.

David-Lima
Here to help

Hi Philip, I'm completely agree with you. Use routing policy  is a lot of work.

I also have a case opened with Meraki.

 

I'm still waiting an update if there is a way to overcome this, I mean if there is way to keep the C4507 as a default Gateway.

I'll keep in touch with you.

Regards.

David Lima.

Fady
Meraki Employee
Meraki Employee

Can I ask, why you need the default gateway to be the switch?
David-Lima
Here to help

Hello Fady, of course you can.

 

Currently, our Switch C4507(with redundant Sup) acts as a DHCP server, default Gateway and ip routing.


It has almost 30 Vlans, It has connected 3 MPLS Firewalls and 10 remote sites through fiber optic.
Well, I can say that it is our core switch for my network.

 

Your suggestions are always very welcome.

 

Regards.

 

David Lima.

 

 

 

Fady
Meraki Employee
Meraki Employee

I guess the question I have here, do you have a lot of inter-VLAN communication across those 30 VLANs?
Fady
Meraki Employee
Meraki Employee

Thanks for the details.

 

Here is how to solve the problem

  •  Keep the switch as your DHCP.
  •  Configure the MX and switch connection to be trunk.
  •  Have the VLANs also configured on the MX.
  •  Use the default gateway to the MX.
  •  Then apply the group policy.

That should work, let me know if it doesn't

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels