Meraki

Community

Routing Between two Networks on the same Organization

GNygren
Conversationalist
‎May 14 2025 11:49 AM
‎May 14 2025 11:49 AM

Routing Between two Networks on the same Organization

I have a Guest network set up in our Meraki Organization using a Z3 appliance. It is the DHCP server for the guest network. We have a main office network including MX100s, MS225s, MS250s and Wireless Access Points. There is a link between our Guest Network and Main network to allow clients connecting to the wireless access points to gain access to the DHCP service and network hosted on the guest gateway. (Access ports on the VLAN hosted on the Z3 that connects to an access port on the Main network on the same VLAN). 

I attempted to create an interface on the Z3 for a network hosted on the L3 switches in our main network, update the uplink ports to allow the same network on the uplink ports and created static routes on both ends. Saving these changes triggered errors, which I can provide photos of. 

The problem I am trying to solve is allowing client devices on the Guest network (Z3 hosted) to reach certain devices on the main network. It seems like the way I tried should work, but I am getting errors on both sides and not sure how best to proceed with solving this. 

Guest Gateway.jpg

Routing and DHCP.jpg

0 Kudos
7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 14 2025 11:54 AM
‎May 14 2025 11:54 AM

If the MX100 is the HUB and the Z3 Spoke should already have the route to this network in the routing table, no additional configuration is necessary.

Can you share a screenshot of the routing table of both the MX and the Z3?

 

https://documentation.meraki.com/MX/Networks_and_Routing/Route_Table

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 14 2025 11:56 AM
‎May 14 2025 11:56 AM

If possible also share a screenshot of the network interfaces of MX, Z3 and MS.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
GNygren
Conversationalist
‎May 14 2025 11:57 AM
‎May 14 2025 11:57 AM

Hi Alemabrahao, 

I was trying to do it with interfaces and static routes. I don't have the VPN tunnel established between these two networks yet, that was the next thing I was going to try if the static routes didn't work. 

 

I'll give that a try and update this thread when I have done that. 

Greg

0 Kudos
In response to GNygren
GIdenJoe
Kind of a big deal
Kind of a big deal
‎May 14 2025 12:56 PM
‎May 14 2025 12:56 PM

Hey, the meaning of a Z3 appliance is to use this at a remote location where only a handful of devices live and need access to resources in another Meraki MX network.

This means in the Z3 you should always enable the Site-to-site AutoVPN and have the Z3 set as spoke with the main MX100 as hub.  The moment you do that all the networks that are VPN enabled in the MX100 network will automatically be announced to the Z3 and the Z3 will have a route for them.

You are NOT allowed to create a static route on the Z3 for networks that exist on the MX00 that are VPN enabled and vice versa and this will throw an error.

In response to GIdenJoe
GNygren
Conversationalist
‎May 15 2025 6:24 AM
‎May 15 2025 6:24 AM

I'll set up the auto VPN with the Z3 as a spoke for the hub of our main office MX100 and use firewall rules to limit access. Thanks for the recommendation. 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 14 2025 1:04 PM
‎May 14 2025 1:04 PM

I don't see what the Z3 adds to this solution.  Why not remove it (simpler), and move the guest VLAN to the MX100?  Then you can create firewall rules to allow whatever traffic you like.

In response to PhilipDAth
GNygren
Conversationalist
‎May 15 2025 6:23 AM
‎May 15 2025 6:23 AM

That is an option, however we have a separate public IP for our guest network which the Z3 manages. This is to allow us to secure resources in Entra and Azure based on conditional access rules and public IP addresses.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.