C9300-M VLAN 1-1000 quirks

GIdenJoe
Kind of a big deal
Kind of a big deal

C9300-M VLAN 1-1000 quirks

So, I'm finally on my first rodeo configuring C9300L switches with native Meraki persona.
Since I prefer to use VLAN numbers above 2000 I already had a few fights with dashboard.

As you all know Meraki has a bizarre way of provisioning VLANs.  To be able to use allowed all Meraki simply creates every possible VLAN number on their native MS switches so you don't have to and can simply use Trunk allowed all on your trunkports.

 

However since the Catalysts don't waste their CAM/TCAM space, they limit the amount of VLANs to 1000 in the current releases and will further limit it to the high 990's according to the firmware info pages.

 

The issue I ran into was that the very first thing I did was set the switch management VLAN (in switch settings) to 2001.  Then I wanted to change the trunk ports to the correct VLAN mask like allow 1,2001-2050.  However dashboard kept yelling at me that VLANs 1-1000, 2001-2050 were in use... but I removed 1-1000 ...

 

I finally had to first set the management VLAN back to 1 to keep it within the limit before changing my trunk ports to the correct mask.  After that I could change the mgmt VLAN back to 2001 and all is rosy.  So this story serves everyone who might get into trouble for this.

 

However I would very much like to urge Meraki to change the behavior on Catalyst switches to how it is actually managed on Catalyst.  In Catalyst you have to create your VLANs.  By setting the trunk ports to allow all, it will only forward on the created VLANs.  So you never run into these strange limitations.  Since Meraki has made the VLAN profiles page.  This would be the perfect place to create your VLANs and provision them like that onto the switches.  Pretty please!

15 Replies 15
cmr
Kind of a big deal
Kind of a big deal

@GIdenJoe whilst I agree that the path you had to follow seems far from sensible, I would not want the default to be that you had to have to provision VLANs on each Meraki switch.  Part of the allure of Meraki is that a lot of it just works and I think although that would be easy for the likes of you and me, it wouldn't be great for the generalists that perform a lot of Meraki management.  I do think however it could be an organisation/network wide setting that could be toggled in the same way that inbound L3 rules and others are enabled/disabled.  The feature could be called "Switch VLAN auto creation" and be able to be disabled.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
GIdenJoe
Kind of a big deal
Kind of a big deal

I assumed by mentioning the VLAN profiles feature you would know I meant at least network wide with an option to do them org wide 😉  I did however explicitly mentioned that in my make a wish to Meraki 😉

They could also employ an intelligent system where all the access port VLANs are automatically created + the selected management VLAN.

The only 'problem' I see with this approach is onboarding the switch into dashboard where if it only had VLAN 1 to begin with you would need to use that for initial bootstrap or have to use the LSP to manually set the mgmt VLAN.

cmr
Kind of a big deal
Kind of a big deal

A new CS17.1.4 stable firmware has been released that whilst not making the change you requested, does now only allocate VLANs 1-995 buy default.  It would be interesting to see if it helps your issue?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
cmr
Kind of a big deal
Kind of a big deal

On another note, have you enjoyed the shorter boot/reboot times, at least 2 minutes quicker for either by my measurement 😎  Or are you on CS firmware?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
GIdenJoe
Kind of a big deal
Kind of a big deal

I'm not ready to go native just yet but I wish they would hurry and get it stable!

cmr
Kind of a big deal
Kind of a big deal

Go on, live a little (and maybe die a lot), you only live once!  I've been running in on a test C9300L for a couple of weeks and it does seem generally stable.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
rhbirkelund
Kind of a big deal
Kind of a big deal

I think maybe that my greatest annoyance with this switch is the fact that for those C9300s where it supports an NM module, to change to vlan allow list you need to select all NM types and change on them. Not just the NM that is currently installed in the switch..

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
GIdenJoe
Kind of a big deal
Kind of a big deal

Oh really? That probably has to do with the fact that Catalyst switches with modules contain every possibility in the running config.  Since I was dealing with C9300L in this case I didn't run into this issue.

rhbirkelund
Kind of a big deal
Kind of a big deal

rhbirkelund_0-1731572424149.png

 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
rhbirkelund
Kind of a big deal
Kind of a big deal

If I want to change the allow list on e.g. the NM-4C module, I can't just change it. I need to reduce the allow list on all modules, to for example 1-10, before I can change the allow list to what I need on the NM-4C module which is infact installed, unlike the other modules.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
cmr
Kind of a big deal
Kind of a big deal

I'd does seem mad that IOS-XE still doesn't have some intelligence here.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
DOMIN8
Conversationalist

I'm in the same boat here.  My Meraki rep sent me a trial 9300L just yesterday (we currently have MS250/350s everywhere) and I can't seem to get this thing to communicate.

 

Our management VLAN is 1001 and on the Meraki switches, the allowed VLANs is just listed as "all" and we've never had any issues.  The new 9300L doesn't accept "all" as an option.

I've currently set the native VLAN on both the Meraki port and the 9300L port to 1001, and the allowed VLANs as 1-500,1001.  The uplink port on the Meraki switch says it's connected and VLANs match but, the 9300L doesn't show any connection at all.

 

Any thoughts?

cmr
Kind of a big deal
Kind of a big deal

@DOMIN8 are you on CS17.1.4 or the IOS-XE beta?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
DOMIN8
Conversationalist

I am now as I updated firmware over the weekend.

 

That said, for some reason the switch finally started talking to the rest of the network shortly after I made that post on Friday.  Nothing has changed since then, I'm still using 1-500,1001 as the allowed VLANs on both ports.

cmr
Kind of a big deal
Kind of a big deal

Perhaps spanning tree took a bit longer than usual... 🤔

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.