I'm preparing to add a VLAN2 to our network for some servers we will be adding. In preparation for this I was investigating what I would need to do to have our client PCs (VLAN1) communicate with these servers as many of these ports are Access Ports with VLAN1 and a Voice VLAN105.
Assuming VLAN 1 is 10.123.0.0 /23 and VLAN8 is 10.122.8.0/24
I have Switch1 Port 4 configured as an Access Port VLAN1, I would assume that this port should not be able to communicate with a PC in the address range of VLAN8.
So PC-A which is 10.122.0.69 connects to port 4 on switch 1 and attempts to RDP into PC-B which is 10.122.8.10. I expected my PC to try to find the system with RDP and come back with a failure to connect. I was a bit surprised to be able to connect to the PC through RDP when they should be in different VLANs.
PC-B is connected to port 34 on the same switch which is configured as an Access Port for VLAN8.
What am I missing here? This is a case of something working that I expected not to.
Solved! Go to solution.
There must be a gateway in between.
If the VLANs have a gateway in the form of a router or firewall or l3 switch then the packets will be routed between VLANs unless you have acl's or firewall rules blocking access.
There must be a gateway in between.
If the VLANs have a gateway in the form of a router or firewall or l3 switch then the packets will be routed between VLANs unless you have acl's or firewall rules blocking access.
Under Switch>>Configure>>Routing & DHCP I have infact added interfaces for VLAN1, VLAN2, VLAN8 and VLAN105.
Since these Meraki Switches are L3 capable this is what allows communication across VLANs unless I explicitly set an ACL to block it?
Yes
@Ozzy03260 Something to remember on the Meraki MS switches (which is different to Cisco Catalysts if you're used to them) is that you don't have to create VLAN - the switch will pass traffic on any VLAN out of the box. All you have to do is assign an access port to a VLAN. By default all trunk ports will forward all VLANs, but you can restrict (prune) this to just the VLANs you want. When you create a VLAN interface on the Meraki switch you are essentially creating a gateway (SVI in Catalyst terms) that allows that VLAN/Subnet to communicate with all others. You can then restrict communication between VLANs/Subnets (and even within a VLAN/Subnet) using ACLs.
Replying to myself, is it because it is VLAN1? If it were for example VLAN3 10.122.3.0 would that matter?
I inherited this network and this is my first real job requiring me to manage a network instead of servers so it is not my area of expertise.
Thank you