Meraki

Community

Weird routing issue\question

Solved
CiscoInstaller
Here to help
‎Nov 27 2019 2:26 AM
‎Nov 27 2019 2:26 AM

Weird routing issue\question

We are working on migrating an existing network setup to Meraki hardware and for the first stage need to make some of their existing config communicate with the new Meraki layout.

 

The existing setup consists of an internal LAN (utilising Cisco switching 172.31.109.0/24) and has a Draytek router installed in parallel that has an interface that is connected to the internal LAN and the WAN interface configured with a direct internet connection.

 

There is a wireless network inside the Draytek configuration (192.168.65.0/24) that provides DHCP to wireless clients and allows them to be segregated from the main internal LAN with firewall rules restricting access to just the servers on the internal LAN.

 

We have installed a Cisco Meraki network on a new IP range (192.168.48.0/22), which contains some new servers and plan to migrate some of the existing servers and service to this new LAN. Communication between the new Meraki LAN and the existing internal LAN is configured via a VLAN with routes in place to allow servers and clients on the old internal LAN to successfully communicate with servers on the new Cisco Meraki LAN.

 

We need to configure the Draytek such that clients on the wireless network (192.168.65.0/24) can access servers on both the old LAN (172.31.109/24) and the new Meraki LAN (192.168.48.0/22).

 

We attempted to do this by configuring another spare port on the Draytek with an IP address on the Meraki LAN and while this appears to allow communication between all LANs, caused an issue whereby intermittently the wireless clients could not access servers on either LAN (they were sometimes pingable, sometimes not). I believe that this behaviour suggests there was some form of network triangulation occuring.

 

Does anyone have any suggestions regarding the best way of configuring this communication, primarily on the Meraki side? Is it the case that there needs to be explicit VLAN configuration for the Draytek subnet on the Meraki infrastructure? Or static routes for this range to direct traffic for the Draytek subnet to the Draytek for the servers on the Meraki LAN?

 

Any suggestions appreciated!

 

0 Kudos
1 Accepted Solution
In response to CiscoInstaller
BrechtSchamp
Kind of a big deal
‎Nov 27 2019 8:10 AM
‎Nov 27 2019 8:10 AM

If I understand correctly you have both the draytek as well as the MX connected to the old and new VLANs? I think this will cause issues, as both may be doing DHCP and may be routing for the networks. Imo it's better to have one router dedicated to each subnet and interconnect the routers for the communication in between the two VLANs.

View solution in original post

3 Replies 3
BrechtSchamp
Kind of a big deal
‎Nov 27 2019 6:38 AM
‎Nov 27 2019 6:38 AM

You haven't specified much about your Meraki network. Do you have a Meraki MX?

 

I'm going to assume you do, as you're posting this in the Security & SD-WAN subforum. Ideally you could give your MX it's own internet connection independent of the Draytek one. What I would do in that case is connect the Draytek's LAN port to the Meraki MX LAN port. I'd create a separate /30 subnet specifically for this link.

 

  • Then you setup a route on the MX pointing with you Draytek subnet (172.31.109.0/24) with the next hop the Draytek address on this /30 subnet.
  • Also a route to the Wireless subnet (192.168.65.0/24) with the next hop the Draytek address on this /30 subnet.
  • Inversely, on the Draytek you'll need a route pointing to the Meraki subnet (192.168.48.0/22) with as next hop the Meraki MX's address on the /30 subnet.

Make sure you also open up all firewalls accordingly. That means, the draytek, the MX, but also the endpoints (servers sometimes restrict pinging to their own subnet).

0 Kudos
In response to BrechtSchamp
CiscoInstaller
Here to help
‎Nov 27 2019 7:08 AM
‎Nov 27 2019 7:08 AM

Apologies for omitting that info - yes it is a MX100 in use.

 

We have this configured pretty much as suggested:

  • Meraki has its own direct internet connection.
  • Draytek has its own direct internet connection.
  • LAN 2 on the Draytek is configured with an IP address on the old LAN (172.31.109.0/22)
  • LAN 3 on the Draytek is configured with an IP address on the new LAN (192.168.48.0/22)
  • There is a static route configured on the MX100 for the wireless subnet (192.168.65.0/24) to direct traffic to the LAN 3 IP address on the Draytek.
  • There is a static route configured on the router for the old LAN for the wireless subnet (192.168.65.0/24) to direct traffic to the LAN 2 IP address on the Draytek.
  • The MX100 is configured to communicate directly to the old LAN subnet through a VLAN added to one of its LAN ports.
  • With LAN 3 disconnected I can (obviously) no longer ping the Meraki subnet, but reliably ping all resources in the old LAN subnet.
  • With both LAN 2 and LAN 3 connected to the Draytek I can successfully ping servers in the new Meraki LAN, but not servers in the old LAN.
  • Weirdly, with both LAN 2 and LAN 3 connected to the Draytek, I can intermittently ping servers if I am running a constant ping from the server in question to the Draytek, but without the constant ping cannot get ping responses.
  • Also, slightly weirdly - I can ping the main router in the old LAN location with both LAN 2 and LAN 3 connected, even when I cannot ping the servers in this subnet.

I'm guessing this is routing related to the way the Cisco MX100 is setup but am unsure as to what I am missing.

0 Kudos
In response to CiscoInstaller
BrechtSchamp
Kind of a big deal
‎Nov 27 2019 8:10 AM
‎Nov 27 2019 8:10 AM

If I understand correctly you have both the draytek as well as the MX connected to the old and new VLANs? I think this will cause issues, as both may be doing DHCP and may be routing for the networks. Imo it's better to have one router dedicated to each subnet and interconnect the routers for the communication in between the two VLANs.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.