Issues with a MS 350

ThomasCci
Here to help

Issues with a MS 350

Hi all,

 

I am trying to setup a MS-3550 in one of our office.

 

There is a Cisco ISR router that acts as a DHCP server and a C2960 switch connected to it. 

 

We have a VLAN for LAN traffic, a VLAN for Voice and a VLAN for Wi-Fi (MR33 AP connected to the C2960).

The router has ACLs to prevent Wi-Fi clients from accessing the LAN. Wi-Fi client gets an IP on the 192.168.0.0/24 network, our LAN segment is on 10.0.0.0/8

 

Here is the ACL on the router

 

access-list 150 remark WLAN pool to internet
access-list 150 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 150 permit ip any any

 

I have received a MS-350 and connected it to the C2960, I have set the port on the C2960 as a trunk and I was able to access the MS-350. But we started encountering 2 issues:

 

As soon as I put the uplink between the Meraki and the C2960, all traffic from the Wi-Fi clients was able to access our internal network, which is normally blocked by ACLs on the router.

As soon as I shutdown the Meraki Switch, then traffic stops as intended (Wi-Fi clients can only browse Internet but not access our LAN segment).

 

I am bit puzzled by the behavior. I could only think that the uplink is putting all traffic on the Native VLAN 1 then nothing get filtered anymore by the ACLs, but the C2960 is the only switch that has an uplink to ISR router which is the default gateway for all clients

 

The second issue is that the switch keeps going offline, I have reset it to factory defaults but now it fails to connect to Meraki cloud and I get a feeling there might be an issue with STP s I can see the uplink port generating a lot of messages:

 

Sep 15 14:22:08 Port STP change
Port 1 designated→root
Sep 15 14:22:06 Port STP change
Port 1 disabled→designated
Sep 15 14:22:06 Port status change
port: 1, old: down, new: 1Gfdx
Sep 15 14:22:02 Port STP change
Port 1 root→disabled
Sep 15 14:22:02 Port status change
port: 1, old: 1Gfdx, new: down
Sep 15 12:22:02 Port STP change
Port 1 designated→root
Sep 15 12:22:02 Port STP change
Port 1 disabled→designated
Sep 15 12:22:02 Port status change
port: 1, old: down, new: 1Gfdx
Sep 15 12:21:56 Port STP change
Port 1 root→disabled
Sep 15 12:21:56 Port status change
port: 1, old: 1Gfdx, new: down

 

Any help is greatly appreciated, let me know if you need more info.

2 Replies 2
DarrenOC
Kind of a big deal
Kind of a big deal

Hi @ThomasCci , sounds like your Ms-350 is trying to become the root switch for your network.

 

What is the Bridge Priority of your MS-350?

 

Switch>Configure>Switch Settings

 

Is the Bridge Priority lower than your current Root?

 

If that doesn’t help try disabling RSTP on the uplink between the MS-350 and the 2960.  This was the Ms-350 is removed from any STP processing

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
ThomasCci
Here to help

So I checked on the C2960 and it seems that the Meraki Switch is now root for the LAN segment.

 

The priority of the C2960 is 32798

The priority of the MS is 32768

 

I  have changed the priority of the MS from 32768 to 36864 as follows:

 

ThomasCci_0-1600174393488.png

 

The switch is powered off right now so I will report back later.

 

Any idea about the traffic not being filtered properly?

 

Get notified when there are additional replies to this discussion.