Meraki

clopez · ‎Jul 23 2025

We have a C9300L that is doing L3 routing, unfortunately its not setup the way we'd like ti to be, its using a particular internal VLAN as its transit vlan as well.

i.e. 172.16.100.2 is the VLAN IP and GW for endpoints but its management IP is 172.16.100.10

On another vlan we have a network probe that can communicate with 172.16.100.0/24 but it cannot specifically with 172.16.100.10 (the C9300 management IP)

Initially the management IPs GW was pointed directly at the upstream firewall, and I thought return traffic was going there and dropped but even after changing the GW to its own VLAN IP (172.16.100.2) it is not communicating.

Is this just an issue with that transit vlan being shared or is this a quirk of the Meraki Managed C3900s?

I do notice that there is no ARP entry on the core for that IP.

cmr · ‎Jul 23 2025

Having the management interface on a VLAN that has a L3 interface (SVI) is not supported and known to cause issues. You will need to either delete the SVI for that VLAN or move the management to another VLAN that does not have a L3 interface on the switch.

If my answer solves your problem please click Accept as Solution so others can benefit from it.

GIdenJoe · ‎Jul 24 2025

At this time the management VRF is being used for the local status page so the "management IP" is on the global routing table of the switch.

To combine this with layer 3 routing you have no other choice for the time being to have the C9300's management to be the uplink SVI that leads to the internet. You cannot use an "internal" IP as management if that switch is doing the L3 routing.

In the future we will have access to loopbacks and VRF's where the management issue will be better managed.

So to make it real, let's see this example:

So in this case the first created SVI on the C9300 will be the 10.0.0.2/29 and this one will have the default route 0.0.0.0/0 pointing to 10.0.0.1.
Downstream you can have a second SVI that will be client serving and will have the 10.1.0.1/24.

The management IP of this switch will be the 10.0.0.2. You cannot use the IP on a downstream VLAN to use it for management... for now.

clopez · ‎Jul 24 2025

Edit: Sorry I just realized you mentioned the dedicated mgmt port. I was more talking about the switches internal IP, the one it uses for management traffic, not the status page port. (though that would be nice to access internally in an easier fashion)

Thanks for the further info. What I am seeing is two IPs though.

Using your example IPs.

My switches SVI is at 10.0.0.2

In the dashboard shows 10.0.0.210 as its private IP

I tried to change the management VLAN to see what would happen and despite the switch changing IPs properly (I could ping the new IP), and seeing the new IP reach out to DNS and Meraki IPs via our firewall upstream, it went offline and reverted 2 hours later. I guess this is the quirk? since its not the primary SVI it wont work.

I can work around this, I will likely end up placing a secondary monitor/probe on the same subnet so that it can reach the management interface and map the network more accurately.

GIdenJoe · ‎Jul 24 2025

If you're using the container based CS version that could still be the case.

Do mind if you upgrade to native IOS-XE that other rules will apply.
Check here: https://community.meraki.com/t5/Switching/Native-IOS-XE-17-15-3-1-sticky-DHCP-management-IP-issue-wi...

Meraki

Community

Meraki C9300 Management interface not communicating with endpoints on other subnets.

Meraki C9300 Management interface not communicating with endpoints on other subnets.