Meraki

JonathanClark · ‎Sep 4 2024

Hi All, This may come as a silly question... Is it possible to have a Subnet on the MX while having all other Subnets on the Layer 3 switch? For example: I have VLAN10, 20 & 30 on the Layer 3 switch. I have VLAN 5 (Management) and VLAN 6 (Transit VLAN as per documentation). I have set the static routes up and all works fine. I would like to move VLAN 20 back onto the MX purely for the sake of keeping the firewall rules tidy. The Layer 3 ACLs on the switch do not support GPOs and I would need to place about 60 rules in the list. Or I could just have one neat rule on the MX. What challenges will I face if I move the VLAN onto the MX? Will traffic still be routable or am I missing a key detail here.

Mloraditch · ‎Sep 4 2024

You can do this, we normally keep the MGMT VLAN and isolated VLANs like the one you are describing on the MX for exactly the security reasons you describe.

You may lose some performance on inter vlan traffic as there will be an extra hop to get between VLAN 20 and VLANs 10/30 but it may not be noticeable. That's really going to be dependent on your overall load.

The routing will be fine provided your default route on the L3 is the MX. If it's not you would just have to add static route on the L3 pointing VLAN 20 to the MX.

One thing to note is you will have to move/recreate DHCP for VLAN 20 if the Merakis are handling it. If you have a lot of reservations it can be easier to dump them with the API and reupload that way.

Otherwise I can't think of anything else to note.

JonathanClark · ‎Sep 4 2024

Thank you for your response!

I followed these steps exactly today and for some reason I couldn't ping any device that picked up an IP address from the MX on VLAN20.

L3 Switch had default route to the MX transit VLAN IP.

But no dice.

The switches that were downstream of the L3 switch, on the management vlan which is also configured on the MX. Could ping the VLAN 20 gateway and work perfectly fine. But not a client on VLAN20... I double checked to make sure no ACLs, No Firewall rules were causing an issue and nothing.

I must be missing something.
Do I need a static route on the MX somewhere to point traffic back to these devices?

I can't configure a static route to a subnet thats residing on the MX of course so I'm not really to sure what I am missing.

Mloraditch · ‎Sep 4 2024

You do not need a static route on the MX for VLAN 20 as it exists locally. If you can ping the VLAN 20 gateway remotely my suspicion would be either dhcp is handing out the wrong gateway ip to the devices OR there is a firewall thing you are missing.

It's all Meraki so I'd suggest a quick call to support. They may be able to track it down faster.

ww · ‎Sep 4 2024

Did you add vlan 20 on the trunk between mx and core switch?

Did you remove the static route for vlan20 from the mx to the coreswitch?

Did you remove the vlan 20 svi from the switch?

JonathanClark · ‎Sep 5 2024

Did you add vlan 20 on the trunk between mx and core switch?

-The trunk link between the Core switch (Catalyst-M) C9300X-12Y is tagged on Management Vlan 5 with allowed VLANs 1-1000

Did you remove the static route for vlan20 from the mx to the coreswitch?

Yes, this was a pre-requisite otherwise I was not able to add the Subnet onto the MX

Did you remove the vlan 20 svi from the switch?

Yes, I removed this.

Core switch has one route on it

0.0.0.0/0 next hop of the MXs transit IP address.

Meraki

Community

Can you have multiple Subnets on the MX while using Layer 3 Switching?

Can you have multiple Subnets on the MX while using Layer 3 Switching?