Meraki

Community

VLANs, routing and connection to Meraki cloud question/advice

Pete_RMOW
Getting noticed
‎Sep 18 2018 5:05 PM
‎Sep 18 2018 5:05 PM

VLANs, routing and connection to Meraki cloud question/advice

Hi all,

 

I'm hoping to get some advice on VLANs and routing to the internet.

 

Background:

We are replacing our core switch that is currently an older HP Procurve with an Meraki MS-425. There are a few bad practices with the current design, but the first phase of the project is to just swap out the HP with the Meraki and keep the config as similar as possible (default route that points to the firewall, IP subnets, vlan numbers, native vlans on trunks etc).

 

We have an older firewall (also scheduled to be replaced after this project and a network redesign) that is connected to an access port on vlan 1 on the HP core switch. A default route on the HP points to the internal IP of this firewall. All VLAN interfaces for the other subnets are set up on the HP core switch and this switch does our inter vlan routing. I can ping to the internet eg 8.8.8.8 from any switch in the network (core and access switches) and end devices connected to these switches.

 

I've essentially inputted this same config into the MS-425. All trunks have native vlan 1 and allowing all vlans for testing purposes right now. I have connected a couple of MS-350s to the MS-425 and configured their vlan, LAN IP corresponding to that vlan, and the gateway as the corresponding VLAN interface IP on the MS-425.

 

The Ms-350 on vlan 1 can get to the Meraki cloud, but the 350s on vlans 2 and 3 cannot get to the Meraki cloud. I would have thought that setting their gateway to the vlan interface on the MS425 which is the upstream switch, and have the default route on the MS425 pointing to the FW would allow internet access, but I might be missing something here.

 

Example of config:

 

MS425 Core switch

vlan 1 interface 172.16.1.1 /24

vlan 2 interface 10.0.2.1 /24

vlan 3 interface 10.0.3.1/24

Default route 0.0.0.0 0.0.0.0 172.16.1.254 (the firewall)

LAN IP 172.16.1.2

Vlan1

Gateway 172.16.1.254

dns 8.8.8.8

 

All links to access switches are trunks with native vlan 1, allow all vlans (for testing)

 

MS350 that can connect to Meraki cloud (access switch)

LAN IP 172.16.1.10

vlan 1

gateway 172.16.1.1

dns 8.8.8.8

 

MS 350 #1 that cannot connect to Meraki cloud (access switch)

LAN IP 10.0.2.10

vlan 2

gateway 10.0.2.1

dns 8.8.8.8

 

MS 350 #2 that cannot connect to the internet (access switch)

LAN IP 10.0.3.10

vlan 3

gateway 10.0.3.1

dns 8.8.8.8

 

Any advice or help would be greatly appreciated.

 

0 Kudos
2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 18 2018 8:19 PM
‎Sep 18 2018 8:19 PM

It sounds to me like the firewall (172.16.1.254) does not have static routes for 10.0.2.0/24 and 10.0.3.0/24 via 172.16.1.1.

 

My next guess is around the management IP and the layer 3 VLAN IP address on the MS350's on VLAN2 and VLAN3.  The management IP is what the switch uses to talk to the Meraki cloud.  It will default to using DHCP on VLAN1.  The layer 3 VLAN IP is only used for routing.  The MS350's in VLAN2 and VLAN3 - they don't need a layer 3 VLAN interface.  Check out:

https://documentation.meraki.com/MS/Layer_3_Switching/MS_Layer_3_Switching_Overview#Notes_regarding_...

 

My next guess is the firewall does not have access rules to allow 10.0.2.0/24 and 10.0.3.0/24.

My nest guess if the firewall does not have NAT rules to allow 10.0.2.0/24 and 10.0.3.0/24.

0 Kudos
In response to PhilipDAth
Pete_RMOW
Getting noticed
‎Sep 18 2018 10:14 PM
‎Sep 18 2018 10:14 PM

Hi PhillipDAth,

 

Thanks for your reply. I actually just resolved the issue by changing the port that the FW is connected to a trunk. What I'm not understanding is why switching the port on the MS425 to a trunk made things work, when the port type on the FW is still an access port in vlan 1.

 

One thing I did fail to mention in my original post that this is currently all set up in a lab (completely separate from production network). I am using an MX64 for the lab firewall. The production FW is an older Sonicwall. I'm trying to lab up as much as possible to test and take any guess work out come cut over time.

 

Static routes were in place on the FW so that was all good. The 350s don't have L3 routing enabled , so no L3 interfaces configured. They have a static IP in their respective vlans 2 and 3 and their gateways are the L3 vlan interfaces configured on the upstream MS425 core switch.

 

Thanks again, appreciate the help.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.