Meraki

Community

L3 Switching and the Native VLAN

Solved
Twitch
A model citizen
‎Apr 24 2021 4:36 AM
‎Apr 24 2021 4:36 AM

L3 Switching and the Native VLAN

Good morning everyone. I have a question about layer 3 switching and the management VLAN. We have a switch stack comprised of three MS250-48 switches. I am preparing to move from inter-VLAN routing on the MX to L3 routing on the switch stack.

 

Our current config has the management network in VLAN 1, network 10.0.0.0/22. All network devices have a management IP in this subnet. This is also the subnet that just about all network devices reside in, including all of our servers (WiFi and VoIP have their own VLANs). All VLANs currently reside on the MX100, which is also where all inter-VLAN routing occurs. All of the VLANs will be moving to the switch stack in order to use OSPF to route traffic across our VPLS circuits, including VLAN 1.

 

The screenshot below is from the Layer 3 Switch Example document found here: https://documentation.meraki.com/MS/Layer_3_Switching/Layer_3_Switch_Example

 

There is a statement about switch stacks and the management interface that has me concerned:

 

For switch stacks performing L3 routing, ensure that the management IP subnet does not overlap with the subnet of any of it's own configured L3 interfaces. Overlapping subnets on the management IP and L3 interfaces can result in packet loss when pinging or polling (via SNMP) the management IP of stack members.

 

Twitch_0-1619262729017.png

 

Given that I will be moving VLAN 1 to the switch stack, and since our management addresses also reside in VLAN 1, will there be a conflict between the management IP addresses and the layer 3 interface on the stack? I would think no, considering that there is no overlap in subnets since the management IP addresses reside within VLAN 1, but I also know that in the world of Meraki, things can operate slightly differently than one would expect.

 

My concern is that I will have to create a new management VLAN and touch each device in our network to change it. I do plan on changing the management VLAN as well as the VLANs that the servers, etc., reside in, but there is too much going on to tackle that at the same time as bringing these new circuits online. One thing at a time, right?

 

So, will I need to create a new management VLAN in order to move VLAN 1 to the switch stack, or will there be no conflict with the management IPs and the VLAN 1 layer 3 interface coexisting on the switch stack?

 

Thanks everyone. I really appreciate all of the help and advice I have received from everyone as I figure-out how to make these VPLS circuits work.

 

Cheers!

 

Twitch

 

 

 

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 24 2021 2:58 PM
‎Apr 24 2021 2:58 PM

The most important thing is that the management IP has a default gateway that is not the switch itself.  The default gateway for management must point to the upstream device, such as the firewall.

 

If you are not using SNMP, then you can have the switch IP and management IP in the same subnet - just note the proviso about the default gateway.

 

I've done this many times.

View solution in original post

7 Replies 7
cmr
Kind of a big deal
Kind of a big deal
‎Apr 24 2021 10:24 AM
‎Apr 24 2021 10:24 AM

@Twitch unfortunately your fears are correct.  If the management interfaces on the switches in the ms250 stack remain in VLAN 1 then you cannot have a routed interface on VLAN 1 on that switch stack.

 

You only need to move the switches in that stack to have their management interface in a VLAN that is not routed by themselves, all other devices can keep their management interfaces in VLAN 1 for now.

 

While you are at it, why not move them to DHCP and then if you need to change it again, they'll just follow.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 24 2021 2:58 PM
‎Apr 24 2021 2:58 PM

The most important thing is that the management IP has a default gateway that is not the switch itself.  The default gateway for management must point to the upstream device, such as the firewall.

 

If you are not using SNMP, then you can have the switch IP and management IP in the same subnet - just note the proviso about the default gateway.

 

I've done this many times.

In response to PhilipDAth
cmr
Kind of a big deal
Kind of a big deal
‎Apr 25 2021 1:58 AM
‎Apr 25 2021 1:58 AM

Great insight @PhilipDAth, I'd always read it that you shouldn't have an interface on that VLAN.  As we have been able to do that at our sites due to how they are set up, but good to know there is the alternative you describe above, thank you.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to PhilipDAth
Twitch
A model citizen
‎Apr 27 2021 4:10 AM
‎Apr 27 2021 4:10 AM

@PhilipDAthThanks for the info. Where do you typically put the management VLAN - on the layer 3 switch, or on the MX?

0 Kudos
In response to Twitch
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 27 2021 3:36 PM
‎Apr 27 2021 3:36 PM

>Where do you typically put the management VLAN - on the layer 3 switch, or on the MX?

 

MX.  You can screw up the internal routing, VLANs, etc and as long as you have a connection to the Internet, you can fix it remotely.

Twitch
A model citizen
‎Apr 27 2021 12:05 PM
‎Apr 27 2021 12:05 PM

One more question for everyone - when you enable layer 3 switching on a stack, that enables it for all of the switches in the stack, correct? So if I enable layer 3 switching for switch 1 in the stack, that turns it on for all three, correct? Or do I need to enable it for the stack separately?

 

 

0 Kudos
In response to Twitch
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 27 2021 12:07 PM
‎Apr 27 2021 12:07 PM

Only one switch does the L3 at a time - the stack master.  So if the stack master fails, the next switch will take over the L3 processing.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.