1700 clients when I have one physical machine plugged in.

Solved
JethroCrates
Here to help

1700 clients when I have one physical machine plugged in.

I found a link to a way to use the MS as a breakout so that I could configure hot spare MXs.  That works great.  However, the issue I am having is that I am getting an ARP entry from my DMZ'd router for every IP address that my one client connects to.   So, it appears as though I have 1700 physical clients on my LAN, when I have one. Deploying this to a userbase of 50 people will create issues I think.    This is what I am using for the physical setup, along with the VLANS as access ports.

I've tried numerous tweaks to the switchports, and I still get all of these external ARP entries.

 

If I NAT, it works fine.

 

https://docs.google.com/presentation/d/1xsb8imtUFjN13so86kIZ04IR9f6WEKdbpUrYVON64Zg/edit?usp=sharing

1 Accepted Solution
cmr
Kind of a big deal
Kind of a big deal

@JethroCrates you aren't missing anything, but you need to use a dedicated switch for the breakout to not see the ARP entries for the internet.  Create a new network called {site}-breakout and put the switch in there.

If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

3 Replies 3
cmr
Kind of a big deal
Kind of a big deal

@JethroCrates I have found that you should either have the breakout MS in a separate network, or do as we do and get a cheap unmanaged Cisco switch to use as the breakout switch.  We use Cisco's 5 port Gigabit unmanaged switches and they work perfectly for this basic task.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
JethroCrates
Here to help

Unfortunately, the unmanaged switch doesn't work for us. This will be deployed to an area where there is no IT presence, and physical access to the network environment is wide open.  Unfortunately, it's Starlink I'm using this for, and Bridge Mode isn't something we want to do.

I do have the breakout configured as a separate VLAN, and all these ARPs are being generated for that separate VLAN.  Am I missing something?

cmr
Kind of a big deal
Kind of a big deal

@JethroCrates you aren't missing anything, but you need to use a dedicated switch for the breakout to not see the ARP entries for the internet.  Create a new network called {site}-breakout and put the switch in there.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels