Meraki

Community

MS425 Stack won't get DHCP Address

Solved
jwwork
Getting noticed
‎Mar 31 2018 3:02 PM
‎Mar 31 2018 3:02 PM

MS425 Stack won't get DHCP Address

Today I completed a cutover from our Cisco 6509 core to a 4 switch 425 stack.  During initial configuration I had the 425 stack connected to an outside DSL that it was getting an IP address on vlan 1.  I now want them to ultimately have an IP in vlan 2 set statically (no DHCP on vlan 2).  When I change the management IP settings the switches show an error a few minutes later saying they are using an DHCP address on vlan 1 instead of the assigned static IP.  I also tried just setting the management IP to use DHCP in a vlan on our internal network but I get the same message.  Once I disconnect that DSL connection the switches disconnect from the dashboard.  This switch stack does all our layer 3 routing and all my existing Cisco switches on the network have static IP's set in vlan 2 and can ping out to the internet just fine.  Any ideas?

0 Kudos
1 Accepted Solution
In response to jwwork
jwwork
Getting noticed
‎Apr 10 2018 3:46 PM
‎Apr 10 2018 3:46 PM

So I discovered that with using the firewall as the gateway DNS requests were not being routed back to my internal DNS servers.  Using external DNS servers has got it working.  I think when I tried using external DNS the first time I didn't wait long enough for the error to clear.

View solution in original post

0 Kudos
19 Replies 19
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 31 2018 5:01 PM
‎Mar 31 2018 5:01 PM

If you apply a new management IP configuration and the switches fail to talk to the Meraki cloud the switches will try and revert back to what is was before you made the change.

 

I think this is why it is going back to vlan1.

 

If you patch a machine into vlan2 does it get access the Internet ok?  Is there any firewall that might be limiting access?

 

If you only have Meraki switches in your network you could also configure the network as a whole to use vlan2 for management.  You can fine this under:

Switch/Switch Settings

Screenshot from 2018-04-01 12-00-19.png

 

0 Kudos
MRCUR
Kind of a big deal
‎Mar 31 2018 5:07 PM
‎Mar 31 2018 5:07 PM

It's been my experience with MS switches that they must tag management packets with whatever management VLAN you specify. So make sure that VLAN 2 isn't the native VLAN on the uplink and that instead it's an allowed VLAN on the trunk. 

 

I just installed an MS120 today that was following a previous MS42 config where the management VLAN was the native VLAN on the uplink and it was not happy until I switched the uplink port's config. 

MRCUR | CMNO #12
0 Kudos
jwwork
Getting noticed
‎Mar 31 2018 5:52 PM
‎Mar 31 2018 5:52 PM

The native vlan on the network is 1.  The path that the switches would take out to the internet is through a Cisco switch stack and the trunk between the 425's and Cisco allows all vlans.  These are the only Meraki switches on the network currently, everything else is Cisco.  The Cisco's all also have their management in vlan 2 and they can ping out to the internet fine.  I also have my laptop connected to vlan 2 (not direct to the 425's) and it can get to the internet.  I have the site wide management vlan set to 1, I just specified vlan 2 on the individual switches.

0 Kudos
In response to jwwork
MRCUR
Kind of a big deal
‎Mar 31 2018 6:24 PM
‎Mar 31 2018 6:24 PM

Do you see the same behavior if you set the static IP's through the local config pages on the 425's?

MRCUR | CMNO #12
0 Kudos
In response to jwwork
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 31 2018 6:45 PM
‎Mar 31 2018 6:45 PM

When the notebook is connect to vlan2 it can also get a dhcp address and do name resolution fine?

0 Kudos
jwwork
Getting noticed
‎Mar 31 2018 8:44 PM
‎Mar 31 2018 8:44 PM

Yes, the behavior is the same if I set the IP info at the local configuration page.

 

The laptop has a static IP, gateway, and DNS set.  Same as I tried on the 425's (no DHCP in vlan 2)  The laptop can do DNS lookups and get to the internet just fine.

0 Kudos
In response to jwwork
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 31 2018 8:47 PM
‎Mar 31 2018 8:47 PM

What device is acting as the default gateway for vlan2?  A firewall?

 

The management IP for a switch can not have the default gateway that is also on the switch itself.  It must point to the next hop upstream - like a firewall.

0 Kudos
In response to PhilipDAth
jwwork
Getting noticed
‎Mar 31 2018 8:51 PM
‎Mar 31 2018 8:51 PM

Ok maybe that is my problem.  The default gateway for this switch stack is the stack itself, it handles all layer 3 routing on the network.  That would explain why my static IP and DHCP test didn't work but why the DSL connection works, that uses the DSL modem as the gateway.  I'm not sure what to set the gateway to.

0 Kudos
In response to jwwork
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 31 2018 9:12 PM
‎Mar 31 2018 9:12 PM

Which VLAN on your switches connects towards your firewall?

0 Kudos
In response to PhilipDAth
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 31 2018 9:15 PM
‎Mar 31 2018 9:15 PM

https://documentation.meraki.com/MS/Layer_3_Switching/MS_Layer_3_Switching_Overview#Notes_regarding_...

 

"The management IP is treated entirely different from the layer 3 routed interfaces and must be a different IP address. It can be placed on a routed or non-routed VLAN (such as in the case of a management VLAN independent from client traffic). Traffic using the management IP address to communicate with the Cisco Meraki Cloud Controller will not use the layer 3 routing settings, instead using its configured default gateway. Therefore, it is important that the IP address, VLAN, and default gateway entered for the management/LAN IP still provide connectivity to the Internet.  The management interface cannot have a gateway of it's own L3 interfaces."

0 Kudos
In response to PhilipDAth
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 31 2018 9:16 PM
‎Mar 31 2018 9:16 PM

This is also a great reference to help you out:

https://documentation.meraki.com/MS/Layer_3_Switching/Layer_3_Switch_Example

0 Kudos
In response to PhilipDAth
jwwork
Getting noticed
‎Mar 31 2018 9:21 PM
‎Mar 31 2018 9:21 PM

Thanks!  The firewall inside interface is at 10.X.X.1 and the interface in that vlan on the 425 stack is 10.X.X.2.

0 Kudos
In response to jwwork
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 31 2018 9:24 PM
‎Mar 31 2018 9:24 PM

You have your answer.  The management IP for the MS425 needs a default gateway of 10.x.x.1 and the management IP needs to be from the same VLAN (and needs to be unique so it can not be 10.x.x.2).

 

You'll be online shortly!

0 Kudos
In response to PhilipDAth
jwwork
Getting noticed
‎Apr 1 2018 12:20 AM
‎Apr 1 2018 12:20 AM

I will change them on Monday and let you know.  Thanks for all the help!

0 Kudos
In response to PhilipDAth
jwwork
Getting noticed
‎Apr 1 2018 11:47 AM
‎Apr 1 2018 11:47 AM

That worked a little.  I now have them online with static IP address in that same vlan and using the firewall as the gateway.  I pointed them to my internal DNS servers and they went green for a minute but then went back to orange saying DNS misconfigured.  I tried using Google public DNS servers as well but got the same error.  There should be nothing blocking them from using Google DNS servers at the moment.

0 Kudos
In response to jwwork
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 1 2018 1:27 PM
‎Apr 1 2018 1:27 PM

One step forward @jwwork.

 

Your should be able to use either external or internal DNS without issue (as long as the firewall allows it and can route it for you).

 

Just to be crystal clear; the switch management IP addresses are now in the same VLAN as a firewall interface.  Correct?

 

If you check the local status page does it definitely report the correct VLAN, and does it also have the same "DNS" error or does it mention some other error?

0 Kudos
In response to PhilipDAth
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 1 2018 1:30 PM
‎Apr 1 2018 1:30 PM

Does the firewall show any traffic/flows coming from the switch management IP addresses (you might have to wait a while to see this when they are not working as they will back off)

 

Does the firewall ARP cache show the IP addresses of the switches?

0 Kudos
In response to PhilipDAth
jwwork
Getting noticed
‎Apr 1 2018 10:56 PM
‎Apr 1 2018 10:56 PM

Correct, the switches now have static IP's in the same VLAN as the firewall inside interface.  I am offsite and don't have VPN access at the moment.  I will check the local status pages on Tuesday.

0 Kudos
In response to jwwork
jwwork
Getting noticed
‎Apr 10 2018 3:46 PM
‎Apr 10 2018 3:46 PM

So I discovered that with using the firewall as the gateway DNS requests were not being routed back to my internal DNS servers.  Using external DNS servers has got it working.  I think when I tried using external DNS the first time I didn't wait long enough for the error to clear.

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.