Configure sw l3

Solved
Thanhhai
Here to help

Configure sw l3

Currently, I receive requests from my superiors to deploy network systems for my company

this is my first time to use SWITCH MS410, please guide me step by step to configure this SW l3 to suit the requirements
Look forward to your help.4147B2EB-09B1-42A6-804D-4464275694AD.png

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

56 Replies 56
PhilipDAth
Kind of a big deal
Kind of a big deal

This is an example of configuring a layer 3 switch.

https://documentation.meraki.com/MS/Layer_3_Switching/Layer_3_Switch_Example 

Thanhhai
Here to help

@PhilipDAth Thank you very much,

but I find the document you share with me and the page I'm using are not the same.

also I want to ask you, as in the network diagram I drew, I want to use 2 Uplink lines for the L3 switch (Vlan 900, Vlan2900) Vlan 100,200,300 will transfer data with Vlan 900. Vlan 2100,2200,2300 will switch data with vlan 2900. Is it possible.

Bruce
Kind of a big deal

@Thanhhai what you are describing with VLAN 900 connecting only with VLAN 100, 200 and 300, and VLAN 2900 connecting only with VLAN 2100, 2200, 2300, sounds more like what would achieved with VRFs - this is not something that the Meraki switch supports.

 

You may be able to achieve something close to what you want with ACLs on the MS410 - e.g. denying VLAN 100 access to the VLANs you don't want it to communicate with (VLAN 2900, 2100... etc.) - but this will only work if you have no desire whatsoever to communicate between the VLANs,  it won't allow you to dictate the uplink between the switch and router to use, and its not going to force the routing to go through the upstream router.

 

What are you trying to achieve with the separation of the VLANs?

Thanhhai
Here to help

@Bruce thank you for your reply

You mean we can only deny access between VLANs, and all VLANs will be able to transmit data to both 900 and 2900 VLANs, is that correct?

 

I want vlan 2100,2200,2300 can only access internet, not let them get data on data center.

Bruce
Kind of a big deal

@Thanhhai you should be able to achieve blocking access to your data centre and allowing access only to the internet with ACLs on the switch, see https://documentation.meraki.com/MS/Other_Topics/Switch_ACL_Operation and https://documentation.meraki.com/MS/Layer_3_Switching/Configuring_ACLs.

 

If you implement an ACL on VLAN 2100, 2200 and 2300 to deny all traffic to the private networks (10.0.0.0/8, 172.16.0.0/12, etc.) then those VLANs will only be able to access the internet, and not your internal networks (assuming you use private IP addressing for your networks).

 

If you do this there is no need to have the two separate VLANs between the switch and the router, just a single transit VLAN.

Thanhhai
Here to help

@Bruce thank you very much

this is my first time to use SW L3 meraki,
if possible can you guide me step by step how to configure SWl3 according to your own way.

Bruce
Kind of a big deal

The document that Philip referenced previously, and this one, https://documentation.meraki.com/MS/Layer_3_Switching/MS_Layer_3_Switching_and_Routing, provide the information you require on how to configure Layer 3 interfaces - in the document Philip references, it is the Distribution switch.

Thanhhai
Here to help

@Bruce You mean we only need 1 VLAN as the default VLAN to uplink
In the router we will set the ip address for the data center and then routing there.
Next we will configure ALC on vlan 2100,2200,2300 to deny access to the IP address of the data center.

is that correct

Bruce
Kind of a big deal

Yep, you’ve got it 😀

Thanhhai
Here to help

@Bruce can you help me check the configuration,
I have configured as below but the Vlans doesnt have internet,Only VLAN 1 has internet

Thanhhai_0-1606188238877.png

Thanhhai_1-1606188570407.png

 

 

Bruce
Kind of a big deal

Is 10.15.255.254 the IP address of the router that is connecting to the internet?

Thanhhai
Here to help

@Bruce yes,10.15.255.254 is ip address of router, and connecting to the internet

Bruce
Kind of a big deal

Do you have any ACLs configured yet? What default gateway are you giving clients that connect to VLAN 300, for instance?

Thanhhai
Here to help

@Bruce 10.15.255.254 is IP Address of router, 10.15.255.253 is IP ddress of DATA CENTER ( I have routing configured in the router)

 

Thanhhai_0-1606195459092.png

 

Bruce
Kind of a big deal

Start without any ACLs (i.e. have only the default Allow rule). Make sure that you can access the internet from all the VLANs that should have access to it, and likewise make sure all the VLANs that should be able to access the data centre can access it. Once you've got this working then you can apply ACLs. 

 

Your ACLs will likely be Deny ACLs like you have, and will Deny Any Source to the IP subnets that represent the data centre (and potentially any other internal networks) for each VLAN that shouldn't be able to access the data centre. Remember that the IP address of the router (10.15.255.254) is not the IP destination address of the traffic, the IP destination address of the traffic will either be the address or a server in the data centre, or a server somewhere out on the internet.

Thanhhai
Here to help

@Bruce ACL makes me really confusing, could you please guide me specifically on the system that I am building?

Thanhhai_0-1606198360014.png

 

Thanhhai
Here to help

@Bruce I have removed all ACLs (only the default Allow rule)But I still cant connect to the internet from all the VLANs (except VLAN 1)

Please tell me where am I wrong!

Thanhhai_0-1606203565899.png

 

Bruce
Kind of a big deal

What IP address, subnet mask and default gateway are devices on VLAN 300 getting? How is your DHCP server configured?

Thanhhai
Here to help

@Bruce The computer connected to the Vlan 300 receives the IP address 10.15.32.2/19 default gateway 10.15.32.2

Thanhhai_2-1606209298204.png

 

Thanhhai_1-1606208383009.png

 

 

Bruce
Kind of a big deal

The Meraki configuration looks fine.

Can you ping the router’s IP address (10.15.255.254) from VLAN 300?

If no, do you have return routes configured on the router? I.e. something to tell it to reach 10.15.0.0/16 it needs to go via 10.15.255.1?

 

Thanhhai
Here to help

@Bruce you mean we need RIP or OSPF right? I have configured to try both RIP and OSPF, but still no success, I will try with another router

Bruce
Kind of a big deal

No, you can just use static routes on the router. The Meraki MS410 doesn't support RIP, you could do OSPF if the router supports it and if you know what you're doing with OSPF, but the easiest option is to just configure static routes on the router pointing towards the MS410 for the relevant subnets.

Thanhhai
Here to help

@Bruce i have configured static router, and it worked as expected, thank you very much.

Bruce
Kind of a big deal

That’s great @Thanhhai, now you just need to configure the ACLs

Thanhhai
Here to help

@Bruce Currently I havent configured the ACL, I want to ask you a little more, when my computer connects to Vlan 1, I can access the data center, but when connecting to another vlan (eg vlan 300, then can't access the data center, cant ping to the router data center )

router 1: 10.15.15.254

router data center: 10.15.15.253

Vlan 1 ->10.15.15.253 : OK

Vlan 300->10.15.15.254 OK

Vlan 300 ->10.15.15.253 NG

Please help me this problem.

 

Bruce
Kind of a big deal

If you can ping 10.15.15.254 okay, but you can't ping 10.15.15.253, then its the same issue you had before. The device that has the 10.15.15.253 IP address doesn't have a route that tells it how to return traffic to the VLAN 300 subnet.

Thanhhai
Here to help

@Bruce oh that's right ! I forgot that, thank you very much.
i want to ask more about the ACL i have configured the ACL Vlan 300 to 10.15.15.253 but i can still Ping to 10.15.15.253.

Thanhhai_0-1606791433950.png

 

Bruce
Kind of a big deal

Doing a ping uses the ICMP protocol, not the TCP protocol. You'll need to change the Protocol in the ACL to Any. Also, be aware that the ACL will stop traffic from 10.15.32.0/19 to the 10.15.0.0/20 network, not just the 10.15.15.253 IP address.

Thanhhai
Here to help

@Bruce When I want to transfer data between 2 VLANs, how to configure, default ACL is allow but still cant transfer data between VLANs

Bruce
Kind of a big deal

ACLs are processed from the top down, and processing stops when the first match is found. In your example, if you want to block traffic from VLAN 200 (10.15.16.0/20) to VLAN 2300 (10.15.224.0/23) then you'd need an ACL that is Deny IPv4 Any 10.15.16.0/20 Any 10.15.224.0/23 Any Vlan 200.

Thanhhai
Here to help

@Bruce Sorry, I mean, I haven't configured the ACL yet. But VLANs still dont traffic to each other

Bruce
Kind of a big deal

What’re you trying to ping between? If you’ve only got the default ACL it should be working fine. If you’re pinging between Windows hosts then their firewalls may be blocking it.

Thanhhai
Here to help

i am pinging between windows computer vs windows

But when I connect to Vlan 1 the ping is normal.

Bruce
Kind of a big deal

So for example, VLAN 300 to VLAN 1 works, VLAN 2300 to VLAN 1 works, but VLAN 300 to VLAN 2300 doesn’t? 

Thanhhai
Here to help

@BruceI solved the problem, thank you very much,
i want to ask you other problem about AP AR36
I configured the SSID but it doesn't broadcast that SSID

Please help me with this problem

Thanhhai_0-1606967767916.png

Thanhhai_1-1606967794860.png

Thanhhai_2-1606967822614.png

 

 

 

Bruce
Kind of a big deal

@Thanhhai good to hear. I know this is basic, but its a starting points and I just want to check, have you enabled the SSID on the Wireless -> SSIDs page in the Dashboard - it's a drop down below the SSID name.

Bruce
Kind of a big deal

Just noticed it doesn't say (disabled) next to the name, so you should be good there.
So next thing, have you tried to configure the Visibility or Availability under Wireless -> SSID availability?

It should be set as the following for the SSID:

Visibility: Advertise this SSID publicly

Per-AP availability: This SSID is enabled on all APs

Scheduled availability: disabled

Thanhhai
Here to help

@Bruce I think everything is configured normally

Thanhhai_0-1606968852790.png

Thanhhai_1-1606968901730.png

 

Thanhhai
Here to help

@Bruce sorry i have seen the SSID, I have set many similar SSIDs around me,So I was wrong

thank you very much.

Thanhhai
Here to help

oh no @Bruce I still have trouble traffic data between VLANs

Vlan 1 to Vlan 1 Ok

Vlan 300 to 300 NG

Vlan 300 to 1 NG

Vlan 300 to 200 NG(configured ACL, so no problem)

Pls help me

Bruce
Kind of a big deal

If you can’t ping devices in the same VLAN then you’ve enable port isolation (unlikely), put in an ACL that is denying the traffic, or there is something on the client stopping it.

 

If it was working before, and the only thing you’ve changed is ACLs, then I’d make sure your ACLs are defined correctly for the required subnets.

Thanhhai
Here to help

@Bruce  Um, I removed all of the ACLs, and all posts disable port isolation but the same error still occurs

Vlan 1 to Vlan 1 : ok

Vlan 300 to 300 : NG

Vlan 200 to 300 : NG

Another problem is that vlan 300 can connect to the internet but cant ping any website

Thanhhai
Here to help

Thanhhai_0-1606983276225.png

 

Bruce
Kind of a big deal

If you can’t ping between clients on the same VLAN then it’s most likely a client issue. Check the IP addressing on the client (make sure it’s all correct for the VLAN), check the client for firewalls (they may block pings), and try pinging the gateway instead of another client (the gateway will almost always respond).

 

Don’t worry about not being able to ping websites, a lot of websites don’t allow pings, so long as you can connect to the website all is good.

Thanhhai
Here to help

@Bruce but when I connect to VLan 1 everything works fine

Vlan 1 to Van 1 OK

Vlan 1 ping to website OK

Bruce
Kind of a big deal

Best place to start troubleshooting then is connect to, say VLAN 300, make sure you get a valid IP address for VLAN 300 (assuming you’re using DHCP), and then make sure you can ping the gateway for VLAN 300.

Thanhhai
Here to help

@Bruce yes,It is possible to ping from my computer to any default gateway (default of vlan and router)

Bruce
Kind of a big deal

In that case there isn’t any problem with your network, sounds like it’s all operating fine.

Thanhhai
Here to help

thank you very much @Bruce . Looking forward to receiving your help in the future

Thanhhai
Here to help

@Bruce sorry i bother you again,
I heard Meraki has function to restore previously installed SSID, is it correct? can you guide me to do it?
I accidentally deleted the client's SSID that was installed

PhilipDAth
Kind of a big deal
Kind of a big deal

You can't really delete an SSID (there is no option to do that).  You can overwrite it I guess.

 

Did you perhaps disable it?  If so, you can just enable it again.

Thanhhai
Here to help

oh yes @PhilipDAth I have overwritten it, is there any way to restore it

PhilipDAth
Kind of a big deal
Kind of a big deal

\You can look at Organization Settings/Change Log, and look at what the settings were before you changed them.

Thanhhai
Here to help

@PhilipDAth This is what my computer screen shows, I couldn't find what you instructed

Thanhhai_0-1607480531561.png

 

PhilipDAth
Kind of a big deal
Kind of a big deal

You don't have sufficient rights to see the change log.  You'll need to contact an organisation administrator to get the info.

Thanhhai
Here to help

@PhilipDAth yes, i got it. thanks you.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels