Long time lurker, first time poster.
I’m managing a site where I need to decommission an old router and migrate to a new network. Here is the situation.
The router to remove is a Cisco 800 that is not owned by our organisation. Since it’s not owned by us, we cannot modify its configuration. Here is the actual and desired situations:
I want to do the migration gradually and ideally in production because there are many services that have hard coded IP addresses that I’m not necessarily aware of.
In case one service fails, I want to be able to roll back that particular service to the old address instantly.
I would also like to avoid to physically reconnect devices to specific ports as there are many unmanaged switches spread around the building.
My first idea was to create a second gateway handled by the new router in the old range, to do the routing between subnets, as depicted below. However, I can’t figure out how to properly do the routing between subnets, as Meraki does not allow multiple subnets in the same VLAN. To circumvent this, I thought about putting a temporary router and put static routes between the two, without success.
My 3 questions are:
Many thanks in advance.
Hi @HDupuis , I think you’re overthinking and over complicating this. What if you installed the new MX with the same flat network as you currently have. This way nothing is affected, no changes etc so service as normal. Now you have control of the network you can discover the network and migrate at your leisure.
Your network isn’t complicated/complex as it stands. Just slide the new MX in and you’re done. If it doesn’t work you just put the old router back in.
As you have already told there are many unmanaged switches in the building which means you cannot for the moment use VLAN's to switch between the old and the new network. Because if you wanted to do that you would have to change all the devices at the same time that are connected to unmanaged switches.
Also the lack of config changing on the old router means you have no choice but to make 2 VLAN interfaces on the MX (MX84 = end of sale so I hope it's a different model if it is new) and take both addresses and disconnect the old router.
You will need to cheat a bit on the VLAN side to have both VLAN's bleed into the same VLAN on your switch and unmanaged switches. Make sure you have two ports on your MX that each are in ACCESS mode and one has the old VLAN and the other one has the other VLAN. However they will have to connect to the switch both on ports also in ACCESS mode but in the same VLAN. This way both VLAN interfaces of the router will bleed into for example VLAN 1 on your switches and then you can just start modifying the endpoint IP configuration and test reachability.
Thanks all for you answers. Yes I thought about swapping the new MX configured exactly like the other on a flat network, it does not solve the next step which is to gradually migrate the devices to the new subnet (10.17.6.0/24 ->10.3.0.0/23)
@GIdenJoe That's exactly what I was trying to achieve yesterday, however, I wasn't using this port configuration (I tried almost everything BUT this), I ended up making loops (I presume) that would crash the whole network.
I will try your configuration ASAP, and let you know: I summarize it as this, is my understanding ok?
And no the MX84 isn't new, and I'm aware that at some point, lots of traffic will be going thru the temporary link.
I'll let you know the results.
Looks ok but I see you are using a second MX. That is certainly valid but if you need reachability between those networks then you'll need a separate routing subnet between both MX'es. You could do this all on one MX instead and save the extra configuration.
You shouldn't have any loops since you are using access ports on the MX('es) and different VLAN interfaces on the MX'es which will prevent packets from looping over the MX('es).
Hi. So I tried this configuration, here how it goes: I ran a continuous ping to google.com on the server and PC2. It looks like they are fighting each other: When one PC2 gains connectivity the server loses it and so on. It goes flip-flopping like this forever.
If I put the server port in the switch to Access VLAN 55, everything is fine, however I would like to avoid as this implies to physically reconnect devices to the right ports.
It should work unless there is still something else in your network blocking it or the WAN is not working when you replace the old router with the new MX.
When you move a pc you should wait for it's new IP address and then you should be able to ping your default gateway (the MX) and see the ARP entry in your ARP table. You should be able to ping your server from the new VLAN. Then after that you can move your server and do the same tests.
Always check ARP entries on the end hosts and on the MX to the end hosts to see if they see each other on the switch.
Hi @GIdenJoe I checked the ARP on all devices and the entries were all present. I think I pinpointed the problem, I have an error showing in the switch as soon as I plug the VLAN 55 access link
When I saw that, I disallowed the VLAN55 in the uplink (to prevent having 2 simultaneous links), that did not solve the problem.
My conclusion is that this configuration creates a loop within the router (between the VLANs) and that there is no other solution than to migrate physically the end devices from on VLAN to the other.
Is my understanding right?
I know what's going on. I'm sorry I didn't think about this earlier.
The MX uses the same MAC address on both interfaces causing a MAC flap on VLAN 1 on the switch.
You'll have to change the design to two MX devices with a direct link in between them and route between those.
I tried it this morning, like this:
I was able to sucessfully ping 10.0.3.1 from the server, but not from PC2 to 10.17.6.96.
Is the design ok? I can redo a test.
You have a typo in your drawing (10.17.6.0 is a /24, not /23).
You could also for the moment leave the other ports on the MX in access mode since you don't want VLAN 66 to be reachable over the switch and you don't get any other bleedthroughs.
If you want to keep the old router you will have to point the default gateway of the non migrated endpoints to the temporary MX IP.
But the rest seems ok 😉
I finally got it to work. I had a typo in the static routes. However, I had to connect a VLAN1 direct link between the MXes in order for the MX64 to see the devices in the 10.3.0.0/24 range (red square in picture)
Here is the final diagram.
I'm sure there are optimizations to be done however this design seem to work so far.
The diagram has the existing and new devices all plugged into an MS120. @HDupuis is that the case and if so, does that not tell you what is on the network?
I already have a Layer 2 switch (MS120). This configuration works already, what I am trying to avoid is to physically reconnect the devices to the switch.
To answer your question, I have approximately 200 devices on the network.