Hopefully I can find a solution or confirmation on here 🙂
I have recently installed X2 Stacked Cisco Meraki MS-425-16 Core Switches with 30 Edge Switches. The switches are on a 'management' VLAN range and I have a 3rd party ASA router that needs to be on a /30 'internet breakout' range.
What should the cores gateway be? I am unable to set the ASA as the default gateway on the core switches as they are on a different range. I normally point my edge switches to the core stack as the gateway and use the router as the gateway on the core's as they're normally on the same range.
I tried to add my core switches to another range where I have a smoothwall webfilter, added the smoothwall as the gateway which then points back to the core stack as its gateway but this also did not work.
Connecting a 4g router on the same management range and setting this as the default gateway for the cores works but this is not ideal.
Any help or advise would be much appreciated.
Solved! Go to Solution.
There are two switch IP addresses to consider here.
The first is the management IP which is used to talk to the Meraki cloud. In your case, this should go into the management VLAN with the ASA as the next hop.
Then you have the layer 3 interfaces used for routing. More than likely your ASA should also have an interface in a VLAN in the main data VLAN, and the default gateway on the Meraki switch should point to this. Some people like to use a stub network between the data network and the ASA.
Here is a sample walkthrough.
Thank you Phillip.
I will continue further in the morning.
Here is my current Routing & DHCP setup https://gyazo.com/e0b18684d39f9b11e646243c357c5b5b
Just to confirm, which IP address range should the core switches be on please? Sorry, it is just the first situation where my next hop has been on another range to the core devices.
I've had this configuration recommended directly to me by folks who work at Meraki, too.
On that document, you'll see that "vlan 50" is used with a subnet of 192.168.50.0/30. They use a /30 mask because they need 1 IP for the firewall, and 1 IP for the Meraki switch. VLAN 50 isn't used for anything else.
Could you try setting up a dedicated vlan like this in your environment, to connect between your switch and the ASA?
@Nash Thank you Nash.
For this case, I have 2 core switches and only 2 available hosts are provided on the /30. Therefore I cannot IP both switches on this range along with the router and vlan interface IP.
Unfortunately the 3rd party provider will not give us more IP addresses.
Well, that's a simple solution then: Increase your subnet size to a /29 or whatever gets you enough IPs for your purpose.
Edit: @JoshRans I hit post too soooon.
You shouldn't need to have to worry about a third party provider, unless someone else manages that ASA. Your traffic here is private between the ASA and your Meraki kit.
@Nash That is my problem, we do not manage the ASA and they will not make it a /29 to give us a few more addresses.
It seems like they cannot give me a /29 because it will conflict with their other services. I have however requested a new /29 range from them, hopefully this can be done as it seems like the only solution.
Thanks very much!
@cmr I have 5 interfaces on the core stack as shown in my gyazo screen capture, I am wondering what IP address and gateway should be applied to each of my 2 core switches.
Skimming through this I’m assuming we’re talking about the Management vlan? As a stack each switch will require an IP address in the management vlan with its dfg being the firewall.
As as mentioned by cmr we’ve done numerous installs with this setup.
Hi @UCcert and thanks guys.
Yes my core switches are on the management range but the firewall is on the /30 internet break out range.
I have also done plenty of Meraki installs but the firewall is normally on the management range with the switches.
I have a stack of MS425s with a /30 out to an external network, it works fine so long as you assign it to the SVI and not the physical member switches. Set the /30 on a VLAN interface that is different from all your switch interconnects, and put in a static route for 0.0.0.0 to the router on the other side of the /30 external link.
If your Internet connection devices are set active/passive it will work on a single IP on the other side too, at least, with my firewall vendor it does.
For the internal switch interconnects, the SVI should act as the internal router/gateway. Getting to the next level is then taken care of by the 0.0.0.0 static route to the device on the other side of the /30.