Network Migration

HDupuis
Here to help

Network Migration

Hi,

 

Long time lurker, first time poster.

 

I’m managing a site where I need to decommission an old router and migrate to a new network. Here is the situation.

The router to remove is a Cisco 800 that is not owned by our organisation. Since it’s not owned by us, we cannot modify its configuration. Here is the actual and desired situations:

 

Actual:

  • Cisco 800
  • No VLAN
  • Subnet 10.17.6.0/24
  • GW: 10.17.6.30

Desired:

  • Meraki MX84
  • VLAN 1
  • Subnet: 10.3.0.1/23
  • GW: 10.3.0.1

I want to do the migration gradually and ideally in production because there are many services that have hard coded IP addresses that I’m not necessarily aware of.

 

In case one service fails, I want to be able to roll back that particular service to the old address instantly.

I would also like to avoid to physically reconnect devices to specific ports as there are many unmanaged switches spread around the building.

 

My first idea was to create a second gateway handled by the new router in the old range, to do the routing between subnets, as depicted below. However, I can’t figure out how to properly do the routing between subnets, as Meraki does not allow multiple subnets in the same VLAN. To circumvent this, I thought about putting a temporary router and put static routes between the two, without success.

 

HDupuis_0-1693121776967.png

 

My 3 questions are:

  • Is this the best way to do the migration?
  • If so, how can I configure the routes between the 2 merakis?
  • Would my life be easier if I had a layer 3 switch?

 

Many thanks in advance.

19 Replies 19
DarrenOC
Kind of a big deal
Kind of a big deal

Hi @HDupuis , I think you’re overthinking and over complicating this.  What if you installed the new MX with the same flat network as you currently have. This way nothing is affected, no changes etc so service as normal.  Now you have control of the network you can discover the network and migrate at your leisure.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
DarrenOC
Kind of a big deal
Kind of a big deal

Your network isn’t complicated/complex as it stands. Just slide the new MX in and you’re done.  If it doesn’t work you just put the old router back in.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
GIdenJoe
Kind of a big deal
Kind of a big deal

As you have already told there are many unmanaged switches in the building which means you cannot for the moment use VLAN's to switch between the old and the new network.  Because if you wanted to do that you would have to change all the devices at the same time that are connected to unmanaged switches.

 

Also the lack of config changing on the old router means you have no choice but to make 2 VLAN interfaces on the MX (MX84 = end of sale so I hope it's a different model if it is new) and take both addresses and disconnect the old router.

 

You will need to cheat a bit on the VLAN side to have both VLAN's bleed into the same VLAN on your switch and unmanaged switches.  Make sure you have two ports on your MX that each are in ACCESS mode and one has the old VLAN and the other one has the other VLAN.  However they will have to connect to the switch both on ports also in ACCESS mode but in the same VLAN.  This way both VLAN interfaces of the router will bleed into for example VLAN 1 on your switches and then you can just start modifying the endpoint IP configuration and test reachability.

HDupuis
Here to help

Thanks all for you answers. Yes I thought about swapping the new MX configured exactly like the other on a flat network, it does not solve the next step which is to gradually migrate the devices to the new subnet (10.17.6.0/24 ->10.3.0.0/23)

 

@GIdenJoe That's exactly what I was trying to achieve yesterday, however, I wasn't using this port configuration (I tried almost everything BUT this), I ended up making loops (I presume) that would crash the whole network.

 

I will try your configuration ASAP, and let you know: I summarize it as this, is my understanding ok?

HDupuis_0-1693143148425.png

 

And no the MX84 isn't new, and I'm aware that at some point, lots of traffic will be going thru the temporary link.

 

I'll let you know the results.

GIdenJoe
Kind of a big deal
Kind of a big deal

Looks ok but I see you are using a second MX.  That is certainly valid but if you need reachability between those networks then you'll need a separate routing subnet between both MX'es.  You could do this all on one MX instead and save the extra configuration.

 

 

You shouldn't have any loops since you are using access ports on the MX('es) and different VLAN interfaces on the MX'es which will prevent packets from looping over the MX('es).

HDupuis
Here to help

My bad, did not revise before posting. Here is the updated topology:

HDupuis_0-1693148762795.png

 

GIdenJoe
Kind of a big deal
Kind of a big deal

Yes that's the one you should definitely try.  Let us know how it goes!

HDupuis
Here to help

Hi. So I tried this configuration, here how it goes: I ran a continuous ping to google.com on the server and PC2. It looks like they are fighting each other: When one PC2 gains connectivity the server loses it and so on. It goes flip-flopping like this forever. 

 

If I put the server port in the switch to Access VLAN 55, everything is fine, however I would like to avoid as this implies to physically reconnect devices to the right ports.

 

Any ideas?

GIdenJoe
Kind of a big deal
Kind of a big deal

It should work unless there is still something else in your network blocking it or the WAN is not working when you replace the old router with the new MX.

 

When you move a pc you should wait for it's new IP address and then you should be able to ping your default gateway (the MX) and see the ARP entry in your ARP table.  You should be able to ping your server from the new VLAN.  Then after that you can move your server and do the same tests.

 

Always check ARP entries on the end hosts and on the MX to the end hosts to see if they see each other on the switch.

HDupuis
Here to help

Hi @GIdenJoe I checked the ARP on all devices and the entries were all present. I think I pinpointed the problem, I have an error showing in the switch as soon as I plug the VLAN 55 access link 

HDupuis_0-1693411656689.png

When I saw that, I disallowed the VLAN55 in the uplink (to prevent having 2 simultaneous links), that did not solve the problem.

 

My conclusion is that this configuration creates a loop within the router (between the VLANs) and that there is no other solution than to migrate physically the end devices from on VLAN to the other.

 

Is my understanding right?

GIdenJoe
Kind of a big deal
Kind of a big deal

I know what's going on.  I'm sorry I didn't think about this earlier.

The MX uses the same MAC address on both interfaces causing a MAC flap on VLAN 1 on the switch.
You'll have to change the design to two MX devices with a direct link in between them and route between those.

HDupuis
Here to help

I tried it this morning, like this:

HDupuis_0-1693415572645.png

 

I was able to sucessfully ping 10.0.3.1 from the server, but not from PC2 to 10.17.6.96.

 

Is the design ok? I can redo a test.

GIdenJoe
Kind of a big deal
Kind of a big deal

You have a typo in your drawing (10.17.6.0 is a /24, not /23).
You could also for the moment leave the other ports on the MX in access mode since you don't want VLAN 66 to be reachable over the switch and you don't get any other bleedthroughs.

 

If you want to keep the old router you will have to point the default gateway of the non migrated endpoints to the temporary MX IP.

 

But the rest seems ok 😉

HDupuis
Here to help

I finally got it to work. I had a typo in the static routes. However, I had to connect a VLAN1 direct link between the MXes in order for the MX64 to see the devices in the 10.3.0.0/24 range (red square in picture)

 

Here is the final diagram.

 

HDupuis_0-1693421119236.png

 

I'm sure there are optimizations to be done however this design seem to work so far.

PhilipDAth
Kind of a big deal
Kind of a big deal

>Would my life be easier if I had a layer 3 switch?

 

Just a managed layer 2 switch that supports VLANs would make life much easier.

BlakeRichardson
Kind of a big deal
Kind of a big deal

Agree with Phil here a layer 2 switch so that you can setup VLAN and build the new network side by side.

 

@HDupuis  How many client devices are on the exisiting network? 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
cmr
Kind of a big deal
Kind of a big deal

The diagram has the existing and new devices all plugged into an MS120.  @HDupuis is that the case and if so, does that not tell you what is on the network?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
HDupuis
Here to help

Yes that's the case and yes I see the devices on the client tab.

HDupuis
Here to help

I already have a Layer 2 switch (MS120). This configuration works already, what I am trying to avoid is to physically reconnect the devices to the switch. 

 

To answer your question, I have approximately 200 devices on the network.

Get notified when there are additional replies to this discussion.