Core Stack Default Gateway Situation

Solved
JoshRans
Here to help

Core Stack Default Gateway Situation

Hi all, 

 

Hopefully I can find a solution or confirmation on here 🙂

 

I have recently installed X2 Stacked Cisco Meraki MS-425-16 Core Switches with 30 Edge Switches. The switches are on a 'management' VLAN range and I have a 3rd party ASA router that needs to be on a /30 'internet breakout' range. 

 

What should the cores gateway be? I am unable to set the ASA as the default gateway on the core switches as they are on a different range. I normally point my edge switches to the core stack as the gateway and use the router as the gateway on the core's as they're normally on the same range. 

 

I tried to add my core switches to another range where I have a smoothwall webfilter, added the smoothwall as the gateway which then points back to the core stack as its gateway but this also did not work. 

 

Connecting a 4g router on the same management range and setting this as the default gateway for the cores works but this is not ideal.

 

Any help or advise would be much appreciated.

Josh

1 Accepted Solution
JoshRans
Here to help

Case solved, thanks all.

 

The 3rd party provider finally changed us to a /29 after advising this is the only solution. My cores are now on this range with the router as the gateway.

View solution in original post

14 Replies 14
PhilipDAth
Kind of a big deal
Kind of a big deal

There are two switch IP addresses to consider here.

https://documentation.meraki.com/MS/Layer_3_Switching/MS_Layer_3_Switching_and_Routing#Notes_regardi... 

 

The first is the management IP which is used to talk to the Meraki cloud.  In your case, this should go into the management VLAN with the ASA as the next hop.

 

Then you have the layer 3 interfaces used for routing.  More than likely your ASA should also have an interface in a VLAN in the main data VLAN, and the default gateway on the Meraki switch should point to this.  Some people like to use a stub network between the data network and the ASA.

Here is a sample walkthrough.

https://documentation.meraki.com/Architectures_and_Best_Practices/MX_and_MS_Basic_Recommended_Layer_... 

JoshRans
Here to help

Thank you Phillip.

 

I will continue further in the morning.

 

Here is my current Routing & DHCP setup https://gyazo.com/e0b18684d39f9b11e646243c357c5b5b

 

Just to confirm, which IP address range should the core switches be on please? Sorry, it is just the first situation where my next hop has been on another range to the core devices.

 

Regards,

Josh

 

 

Nash
Kind of a big deal

@JoshRans We usually do a dedicated vlan and subnet between the firewall and our core switches, as in the basic recommended l3 topology. It doesn't matter what your firewall is here.

 

I've had this configuration recommended directly to me by folks who work at Meraki, too. 

 

On that document, you'll see that "vlan 50" is used with a subnet of 192.168.50.0/30. They use a /30 mask because they need 1 IP for the firewall, and 1 IP for the Meraki switch. VLAN 50 isn't used for anything else.

 

Could you try setting up a dedicated vlan like this in your environment, to connect between your switch and the ASA?

JoshRans
Here to help

@Nash Thank you Nash.

 

For this case, I have 2 core switches and only 2 available hosts are provided on the /30. Therefore I cannot IP both switches on this range along with the router and vlan interface IP.

 

Unfortunately the 3rd party provider will not give us more IP addresses.

Nash
Kind of a big deal

Well, that's a simple solution then: Increase your subnet size to a /29 or whatever gets you enough IPs for your purpose.

 

Edit: @JoshRans I hit post too soooon.

 

You shouldn't need to have to worry about a third party provider, unless someone else manages that ASA. Your traffic here is private between the ASA and your Meraki kit.

JoshRans
Here to help

@Nash That is my problem, we do not manage the ASA and they will not make it a /29 to give us a few more addresses.

 

It seems like they cannot give me a /29 because it will conflict with their other services. I have however requested a new /29 range from them, hopefully this can be done as it seems like the only solution.

 

Thanks very much!

cmr
Kind of a big deal
Kind of a big deal

@JoshRans didn't you say you stacked them?  You will then just have one IP on the VLAN on the core switch stack and the other on the ASA LAN port.

 

We do this as @Nash  described with a 'firewall' VLAN that only exists between the core and the edge.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
JoshRans
Here to help

@cmr I have 5 interfaces on the core stack as shown in my gyazo screen capture, I am wondering what IP address and gateway should be applied to each of my 2 core switches.

 

Thank you 

Josh

cmr
Kind of a big deal
Kind of a big deal

@DarrenOC you have done multiple full stack Meraki installs, you must have come up against this?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
DarrenOC
Kind of a big deal
Kind of a big deal

Skimming through this I’m assuming we’re talking about the Management vlan?  As a stack each switch will require an IP address in the management vlan with its dfg being the firewall. 

 

As as mentioned by cmr we’ve done numerous installs with this setup.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
JoshRans
Here to help

Hi @DarrenOC and thanks guys.


Yes my core switches are on the management range but the firewall is on the /30 internet break out range.


I have also done plenty of Meraki installs but the firewall is normally on the management range with the switches.

 

Regards,

josh

JoshRans
Here to help

Case solved, thanks all.

 

The 3rd party provider finally changed us to a /29 after advising this is the only solution. My cores are now on this range with the router as the gateway.

Nash
Kind of a big deal

Good job, third party provider! I am glad they saw reason. 

Brons2
Building a reputation

I have a stack of MS425s with a /30 out to an external network, it works fine so long as you assign it to the SVI and not the physical member switches.  Set the /30 on a VLAN interface that is different from all your switch interconnects, and put in a static route for 0.0.0.0 to the router on the other side of the /30 external link.

 

If your Internet connection devices are set active/passive it will work on a single IP on the other side too, at least, with my firewall vendor it does.

 

For the internal switch interconnects, the SVI should act as the internal router/gateway.  Getting to the next level is then taken care of by the 0.0.0.0 static route to the device on the other side of the /30.

Get notified when there are additional replies to this discussion.