Meraki

MerakiAdminGE

Hi all,

I have a very simple setup that doesn't work and I don't know why.

MX250 with the following VLANS:

VLAN 1 (Clients) Interface IP: 192.168.20.1 Uplink yes VPN mode yes
VLAN 10(Server) Interface IP: 192.168.10.1 Uplink yes VPN mode yes
VLAN 40 (Printer) Interface IP: 192.168.40.1 Uplink yes VPN mode yes

DHCP is configured in MX250 for all networks.

MS220 Switch has an IP from VLAN 1 (DHCP)
The MS220 switch is connected via the MX250 port 3 (copper):
Type: Trunk
Native VLAN 1
Allowed VLAN: 1, 10, 40
(link is activ)

MS220 Uplink Port 48 (copper)
Type: Trunk Native VLAN default 1
Allowed VLANS: all
(link is activ)

RSTP: Enable
STP guard: Disable
UDLD: Enforce

My printer is connected to the MS220 switch port 1 (link is activ)
Type: Access
Policy: Open
VLAN: default - 1
RSTP: Disable
STP: BPDU guard
UDSL: Alert only

PoE: Disable

The printer receives an IP address from VLAN 1 (DHCP).

My laptop is connected to the Wifi. Wifi is configured on the MX250. SSID runs in NAT mode: Use Meraki DHCP.
Firewall & traffic shaping: Outbound rule configured with any any.

The MR34 access points all have an IP address from VLAN 1 and connected to MX250.

The Issue:
The printer cannot be reached via ping. Not from my laptop (wifi), not from the switch, not from the MX.

If I connect the printer directly to the MX250 (VLAN1), the ping works from my laptop. But not from the switch.

Ping from laptop to Switch IP works. Ping from Laptop to Interface IP VLAN 1 IP works.
Ping from Switch to Interface VLAN 1 IP works.

I hope someone can help me. Thanks 🙂

KarstenI

The SSID in NAT mode is by designed not allowed to reach the internal network. If you want internal communication, you likely want to use bridge mode.

But that doesn't explain that it's not working from the switch and MX. There are some packet captures needed to see how far the packets go.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

ShenzouX

What firmware are you using on the switch? Is it above 17.x? If so you won't be able to use any port above 24 to uplink to the MX as the firmware breaks them as uplink ports.

Try using port 1 on the switch to uplink back to your MX250 then everything downstream that is plugged into the switch should work ok.

Or call Meraki support and have them pin the switch to firmware version 16.9.

MerakiAdminGE

The Current MS Switch version is MS 17.1.4

Interesting point. I will test it. Thank you.
But that doesn't explain why I can ping the VLAN 1 gateway on the MX from the switch?
It's just weird. I won't be back on site until Wednesday. I'll test it then.

@Karsten
I have set firewall rules that allow communication between Meraki Cloud (NAT mode) and internal.

ShenzouX

Trust me I know it doesn't make any sense but that will fix it - I currently have a lab setup and have been able to replicate the same odd behavior on 2 separate MS220 48 port switches on firmware 17.1.4. You can ping the switch from the MX and you can ping the MX from the switch but anything else downstream that us plugged into the switch is just dead in the water unless you use one of the first 24 ports as the uplink to the MX.

Its clearly a bug in the firmware version.

MerakiAdminGE

Man if that's true, I'll send you a beer 😃

Last question. But why does the printer get its IP via DHCP when the uplink is not working?
No matter, I will test port 1 as uplink on wednesday and will give an update 👍

Meraki

Community

Routing issue MS220 <-> MX250

Routing issue MS220 <-> MX250