Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MR36 clients could not communicate to wired clients vice versa.

Solved
Richard_Kalaw
Just browsing
‎Nov 5 2023 5:12 PM
‎Nov 5 2023 5:12 PM

MR36 clients could not communicate to wired clients vice versa.

Hi All,

 

Greetings. my MR36 wireless clients could not communicate with wired clients.

 

Steps tried.

 

MS120 Switches

1. Disabled port isolation on the MS120 POE interface.

2. ACL removed DENIED rules.

3. ACL Any Any Allowed

4. Disabled RSTP Guard

5. Port set to trunk

 

MR36

1. ACL removed DENIED rules.

2. ACL Allowed local LAN

3. ACL Any Any Allowed

 

wired VLANs can communicate with other wired VLANs, but wired VLANs to wireless VLANs, or vice versa, cannot communicate, but the wireless clients have internet connections except when communicating with wired.

Thank you in advance

 

 

Head of Information Security | CISO | CCNA R&S
Pathcutters Philippines Inc / AffordableStaff
0 Kudos
Subscribe
1 Accepted Solution
In response to Richard_Kalaw
Ryan_Miles
Meraki Employee
Meraki Employee
‎Nov 5 2023 7:17 PM
‎Nov 5 2023 7:17 PM

6.0.0.0/8 is going to cause you issues. It's used by US DoD and also some internal functions within Meraki. Bottom line is you should not be using that subnet.

 

Aside from that I can ping from your MX and APs to anything in 10.10.10.0 and 17.17.17.0. Your switches use some other public IP range that isn't any internal network so that can't ping anything internal and I'm unclear what your topology is.

 

I don't see any MS ACLs, MR ACLs, MX L3 FW rules, or GP FW rules denying traffic. So, at this point for traffic between VLAN 10 and 17 I'd have to assume this is a client side issue as I see nothing at the infrastructure layer blocking it or failing to ping.

 

What happens if you place a switchport on VLAN 10 and another on VLAN 17, connect a wired client to each, and try pinging between them?

View solution in original post

0 Kudos
Subscribe
16 Replies 16
Ryan_Miles
Meraki Employee
Meraki Employee
‎Nov 5 2023 5:39 PM
‎Nov 5 2023 5:39 PM

I see you have lots of SSIDs, VLANs/subnets. What specific VLAN is this issue occurring on?

0 Kudos
Subscribe
Richard_Kalaw
Just browsing
‎Nov 5 2023 5:43 PM
‎Nov 5 2023 5:43 PM

for a specific one, VLAN 10 communicating to VLAN 60 vice versa. but all of my wireless VLANs could not communicate with wired VLANs. I can ping the gateway of the wireless VLANs but not the clients.

Head of Information Security | CISO | CCNA R&S
Pathcutters Philippines Inc / AffordableStaff
0 Kudos
Subscribe
In response to Richard_Kalaw
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 5 2023 5:49 PM
‎Nov 5 2023 5:49 PM

If they are Windows clients it could be the Windows firewall.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Richard_Kalaw
Just browsing
‎Nov 5 2023 5:52 PM
‎Nov 5 2023 5:52 PM

yes, we are in a Windows environment. but whenever I plugged the Laptop in wired, it could communicate to other wired VLANs but still could not communicate with wireless VLANs. Even my androids phones could not communicate with wired VLANs

Head of Information Security | CISO | CCNA R&S
Pathcutters Philippines Inc / AffordableStaff
0 Kudos
Subscribe
Ryan_Miles
Meraki Employee
Meraki Employee
‎Nov 5 2023 5:55 PM
‎Nov 5 2023 5:55 PM

Can you ping all your networks that aren't 6.x.x.x IPs?

 

0 Kudos
Subscribe
In response to Ryan_Miles
Richard_Kalaw
Just browsing
‎Nov 5 2023 6:42 PM
‎Nov 5 2023 6:42 PM

wireless VLANs to wireless VLANs cannot ping also.

Head of Information Security | CISO | CCNA R&S
Pathcutters Philippines Inc / AffordableStaff
0 Kudos
Subscribe
In response to Richard_Kalaw
Ryan_Miles
Meraki Employee
Meraki Employee
‎Nov 5 2023 6:51 PM
‎Nov 5 2023 6:51 PM

Can you give a specific example of a source and destination IP that cannot ping each other? 6.0.0.0/8 IPs are going to cause you issues. I can tell you that much.

0 Kudos
Subscribe
Richard_Kalaw
Just browsing
‎Nov 5 2023 6:53 PM
‎Nov 5 2023 6:53 PM

10.10.10.0/26 to 6.1.0.0/24 vice versa, even for 10.10.10.0/26 to 17.17.17.0/26 (wireless VLAN to wireless VLAN)

Head of Information Security | CISO | CCNA R&S
Pathcutters Philippines Inc / AffordableStaff
0 Kudos
Subscribe
In response to Richard_Kalaw
Ryan_Miles
Meraki Employee
Meraki Employee
‎Nov 5 2023 7:17 PM
‎Nov 5 2023 7:17 PM

6.0.0.0/8 is going to cause you issues. It's used by US DoD and also some internal functions within Meraki. Bottom line is you should not be using that subnet.

 

Aside from that I can ping from your MX and APs to anything in 10.10.10.0 and 17.17.17.0. Your switches use some other public IP range that isn't any internal network so that can't ping anything internal and I'm unclear what your topology is.

 

I don't see any MS ACLs, MR ACLs, MX L3 FW rules, or GP FW rules denying traffic. So, at this point for traffic between VLAN 10 and 17 I'd have to assume this is a client side issue as I see nothing at the infrastructure layer blocking it or failing to ping.

 

What happens if you place a switchport on VLAN 10 and another on VLAN 17, connect a wired client to each, and try pinging between them?

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 5 2023 7:15 PM
‎Nov 5 2023 7:15 PM

The first thought that comes to mind is - Windows Firewall.  Have you tried disabling it on the wired target you are trying to ping?

 

Is the SSID in bridge mode?

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/SSID_Modes_for_Client_IP_Assignme... 

0 Kudos
Subscribe
In response to PhilipDAth
Richard_Kalaw
Just browsing
‎Nov 5 2023 7:20 PM
‎Nov 5 2023 7:20 PM

Yes, despite windows firewall are disabled, all kind of wireless client (windows laptop, android, mac, and etc) could not communicate with wired VLANs. And yes, SSID is in bridge mode with Layer 3 roaming enabled.

 

Still no good.

Head of Information Security | CISO | CCNA R&S
Pathcutters Philippines Inc / AffordableStaff
0 Kudos
Subscribe
In response to PhilipDAth
Ryan_Miles
Meraki Employee
Meraki Employee
‎Nov 5 2023 7:21 PM
‎Nov 5 2023 7:21 PM

They're all bridged mode/L3 roaming. Which by the way isn't a valid or needed config as each SSID only maps to a single VLAN.

 

L3 with one VLAN doesn't do anything.

Subscribe
In response to Ryan_Miles
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 5 2023 7:22 PM
‎Nov 5 2023 7:22 PM

Based on that, go for the simpler config on just simpler layer 2 bridged mode with no roaming.

0 Kudos
Subscribe
In response to PhilipDAth
Richard_Kalaw
Just browsing
‎Nov 5 2023 7:40 PM
‎Nov 5 2023 7:40 PM

you know, if you're an ISO27001 company. simple/flat network will not get you qualified.

 

Head of Information Security | CISO | CCNA R&S
Pathcutters Philippines Inc / AffordableStaff
0 Kudos
Subscribe
In response to Richard_Kalaw
Ryan_Miles
Meraki Employee
Meraki Employee
‎Nov 5 2023 7:46 PM
‎Nov 5 2023 7:46 PM

That's not what anyone is suggesting. Distributed Layer 3 roaming is meant for when a SSID is configured to use AP tags mapped to VLANs. For example, per building or per floor subnets that will have clients roaming between them.

 

Having a SSID configured for L3 roaming but only mapped to one VLAN doesn't do anything. Clients are only ever on the single VLAN mapped to that SSID.

 

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

 

And with that said that was just an observation I made of your config. That would not be a reason clients cannot ping each other.

 

At this point I'd recommend you open a Support case and do some real time troubleshooting with a Meraki engineer.

0 Kudos
Subscribe
In response to Ryan_Miles
Richard_Kalaw
Just browsing
‎Nov 5 2023 10:28 PM
‎Nov 5 2023 10:28 PM

I already sent a ticket about this, no solution provided despite pcap file already sent for them to analyze.

Head of Information Security | CISO | CCNA R&S
Pathcutters Philippines Inc / AffordableStaff
0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.