MS425 Stack won't get DHCP Address

SOLVED
jwwork
Getting noticed

MS425 Stack won't get DHCP Address

Today I completed a cutover from our Cisco 6509 core to a 4 switch 425 stack.  During initial configuration I had the 425 stack connected to an outside DSL that it was getting an IP address on vlan 1.  I now want them to ultimately have an IP in vlan 2 set statically (no DHCP on vlan 2).  When I change the management IP settings the switches show an error a few minutes later saying they are using an DHCP address on vlan 1 instead of the assigned static IP.  I also tried just setting the management IP to use DHCP in a vlan on our internal network but I get the same message.  Once I disconnect that DSL connection the switches disconnect from the dashboard.  This switch stack does all our layer 3 routing and all my existing Cisco switches on the network have static IP's set in vlan 2 and can ping out to the internet just fine.  Any ideas?

1 ACCEPTED SOLUTION
jwwork
Getting noticed

So I discovered that with using the firewall as the gateway DNS requests were not being routed back to my internal DNS servers.  Using external DNS servers has got it working.  I think when I tried using external DNS the first time I didn't wait long enough for the error to clear.

View solution in original post

19 REPLIES 19
PhilipDAth
Kind of a big deal
Kind of a big deal

If you apply a new management IP configuration and the switches fail to talk to the Meraki cloud the switches will try and revert back to what is was before you made the change.

 

I think this is why it is going back to vlan1.

 

If you patch a machine into vlan2 does it get access the Internet ok?  Is there any firewall that might be limiting access?

 

If you only have Meraki switches in your network you could also configure the network as a whole to use vlan2 for management.  You can fine this under:

Switch/Switch Settings

Screenshot from 2018-04-01 12-00-19.png

 

MRCUR
Kind of a big deal

It's been my experience with MS switches that they must tag management packets with whatever management VLAN you specify. So make sure that VLAN 2 isn't the native VLAN on the uplink and that instead it's an allowed VLAN on the trunk. 

 

I just installed an MS120 today that was following a previous MS42 config where the management VLAN was the native VLAN on the uplink and it was not happy until I switched the uplink port's config. 

MRCUR | CMNO #12
jwwork
Getting noticed

The native vlan on the network is 1.  The path that the switches would take out to the internet is through a Cisco switch stack and the trunk between the 425's and Cisco allows all vlans.  These are the only Meraki switches on the network currently, everything else is Cisco.  The Cisco's all also have their management in vlan 2 and they can ping out to the internet fine.  I also have my laptop connected to vlan 2 (not direct to the 425's) and it can get to the internet.  I have the site wide management vlan set to 1, I just specified vlan 2 on the individual switches.

MRCUR
Kind of a big deal

Do you see the same behavior if you set the static IP's through the local config pages on the 425's?

MRCUR | CMNO #12
PhilipDAth
Kind of a big deal
Kind of a big deal

When the notebook is connect to vlan2 it can also get a dhcp address and do name resolution fine?

jwwork
Getting noticed

Yes, the behavior is the same if I set the IP info at the local configuration page.

 

The laptop has a static IP, gateway, and DNS set.  Same as I tried on the 425's (no DHCP in vlan 2)  The laptop can do DNS lookups and get to the internet just fine.

PhilipDAth
Kind of a big deal
Kind of a big deal

What device is acting as the default gateway for vlan2?  A firewall?

 

The management IP for a switch can not have the default gateway that is also on the switch itself.  It must point to the next hop upstream - like a firewall.

Ok maybe that is my problem.  The default gateway for this switch stack is the stack itself, it handles all layer 3 routing on the network.  That would explain why my static IP and DHCP test didn't work but why the DSL connection works, that uses the DSL modem as the gateway.  I'm not sure what to set the gateway to.

PhilipDAth
Kind of a big deal
Kind of a big deal

Which VLAN on your switches connects towards your firewall?

https://documentation.meraki.com/MS/Layer_3_Switching/MS_Layer_3_Switching_Overview#Notes_regarding_...

 

"The management IP is treated entirely different from the layer 3 routed interfaces and must be a different IP address. It can be placed on a routed or non-routed VLAN (such as in the case of a management VLAN independent from client traffic). Traffic using the management IP address to communicate with the Cisco Meraki Cloud Controller will not use the layer 3 routing settings, instead using its configured default gateway. Therefore, it is important that the IP address, VLAN, and default gateway entered for the management/LAN IP still provide connectivity to the Internet.  The management interface cannot have a gateway of it's own L3 interfaces."

Thanks!  The firewall inside interface is at 10.X.X.1 and the interface in that vlan on the 425 stack is 10.X.X.2.

PhilipDAth
Kind of a big deal
Kind of a big deal

You have your answer.  The management IP for the MS425 needs a default gateway of 10.x.x.1 and the management IP needs to be from the same VLAN (and needs to be unique so it can not be 10.x.x.2).

 

You'll be online shortly!

I will change them on Monday and let you know.  Thanks for all the help!

That worked a little.  I now have them online with static IP address in that same vlan and using the firewall as the gateway.  I pointed them to my internal DNS servers and they went green for a minute but then went back to orange saying DNS misconfigured.  I tried using Google public DNS servers as well but got the same error.  There should be nothing blocking them from using Google DNS servers at the moment.

PhilipDAth
Kind of a big deal
Kind of a big deal

One step forward @jwwork.

 

Your should be able to use either external or internal DNS without issue (as long as the firewall allows it and can route it for you).

 

Just to be crystal clear; the switch management IP addresses are now in the same VLAN as a firewall interface.  Correct?

 

If you check the local status page does it definitely report the correct VLAN, and does it also have the same "DNS" error or does it mention some other error?

Does the firewall show any traffic/flows coming from the switch management IP addresses (you might have to wait a while to see this when they are not working as they will back off)

 

Does the firewall ARP cache show the IP addresses of the switches?

Correct, the switches now have static IP's in the same VLAN as the firewall inside interface.  I am offsite and don't have VPN access at the moment.  I will check the local status pages on Tuesday.

jwwork
Getting noticed

So I discovered that with using the firewall as the gateway DNS requests were not being routed back to my internal DNS servers.  Using external DNS servers has got it working.  I think when I tried using external DNS the first time I didn't wait long enough for the error to clear.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels