How can i make a Vlan see other Vlan? (MX64)

Solved
Vbrites
Getting noticed

How can i make a Vlan see other Vlan? (MX64)

Hello!

 

I have an Meraki MX64 and I've just started to separete my network in Vlans. However, I would like to know how I can make an Vlan A to be able to talk to Vlan B.

 

For exemple: 

- my NAS needs to be in a different Vlan from productivity macs so I can block external access to the NAS, however, I want the "PRODUCTION Vlan" to be able to access my NAS.

 

I think that one solution would be to make the macs part of the two Vlans. But I dont like this ideia, since it seems to be more a bad alternative than an inteligent solution.

1 Accepted Solution
Vbrites
Getting noticed

Thank you very much for your extreme proactivety to help me!

Well, I found the problem. The Macs and swtiches configurations was ok, but I found out that MACs have problems with inter-Vlan connection because they kind of lost DNS direction, when dealing with multi subnets, since they use Bonjour protocol. So the solution was to enable "Bonjuour Forwarding" to every Vlan and every service on Meraki dashboard!!!

"Bonjour forwarding enables interVLAN communication between Bonjour devices and applications on your LAN. Natively, Bonjour functions on a single subnet; Bonjour forwarding removes this limitation by forwarding the multicast DNS traffic between the client and service VLANs as  needed."

https://documentation.meraki.com/MX/Other_Topics/Configuring_Bonjour_forwarding_for_the_MX_Security_...

https://documentation.meraki.com/MX/Other_Topics/Configuring_Bonjour_forwarding_for_the_MX_Security_...

Well, the problem is solved. But I still wonder if adding other DNS configs to every individual MACs can also solve this problem. Thank you everybody!

View solution in original post

13 Replies 13
RaphaelL
Kind of a big deal
Kind of a big deal

Hi ,

 

Please refer to this documentation to create vlans on a MX : https://documentation.meraki.com/MX/Networks_and_Routing/Configuring_VLANs_on_the_MX_Security_Applia...

 

By default , inter-vlan routing is enabled and there are no firewall rules blocking the trafic. You might need to check that also : https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Using_Layer_3_Firewal...

Vbrites
Getting noticed

Thank you for your help!

 

RaphaelL, I've already created an layer 3 allow rule, but this was not able to allow the comunication between the two Vlans. The rule that I created was this:

 

outbound: 
ALLOW -> any protocol -> 10.0.1.0/24 (vlan A) -> any protocol -> 192.168.0.0/24 (vlan B) -> any port
ALLOW -> any protocol -> 192.168.0.0/24 (vlan B) -> any port -> 10.0.1.0/24 (vlan A) -> any port

 

Untill now, its not beeing allowed Vlans to see computers in others Vlans, unless the COMPUTER X belongs to the same vlan than COMPUTER Y

alemabrahao
Kind of a big deal
Kind of a big deal

Probably It's the Windows firewall, try to disable the Windows firewall.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

And unsure that you configured the default gateway on your NAS network settings.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Vbrites
Getting noticed

It's not a windows, it's a Mac. 😞

 

I created the Vlans already, and created the firewall layer 3 outbound rule to allow communication between those subnets through any protocol, but it's still not working. What did I miss? 

ww
Kind of a big deal
Kind of a big deal

Check the gateway of the nas and client if its the correct gateway ip,(mx vlan ip) like @alemabrahao suggests.  

 

Also let us know what protocol is used for this session, and how you access it ,by name/ip?

Vbrites
Getting noticed

My friend, I forgot to tell. My setup has a Switch manageable no layer 3.

 

My macs are connected to a switch and then the switch is connected to the Meraki. Maybe this is the problem. Is there a configuration that I need to do? Maybe the switch is not routing the packages correctly between Vlans. 

alemabrahao
Kind of a big deal
Kind of a big deal

Yes definitely, because you have to create VLAN on the switch and then configure the VLAN on ports, but your switch is not capable to do that.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

It's a layer 2 issue. I suggest you read some articles.

 

https://www.geeksforgeeks.org/virtual-lan-vlan/

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Vbrites
Getting noticed

Actually my switch allows Vlan creation, but not routing. Its model is SG220-26. The physical port is configured as Trunk and allows all vlans as tagged. Is thre other thing that i need to do?

alemabrahao
Kind of a big deal
Kind of a big deal

Have you created the VLANs  on switch? Have you configured the access VLAN on ports that client are connected? The switch are configured as a L3 switch or L2 switch? Can you share the switch configuration?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

 

Look at this example:

The MX Is the router, so on the switch L2 you just need to create the VLANs then configure a trunk port between the MX and the Switch, and the access port for your hosts on target VLAN.

 

 

Topologia Lógica - Localidades.jpg

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Vbrites
Getting noticed

Thank you very much for your extreme proactivety to help me!

Well, I found the problem. The Macs and swtiches configurations was ok, but I found out that MACs have problems with inter-Vlan connection because they kind of lost DNS direction, when dealing with multi subnets, since they use Bonjour protocol. So the solution was to enable "Bonjuour Forwarding" to every Vlan and every service on Meraki dashboard!!!

"Bonjour forwarding enables interVLAN communication between Bonjour devices and applications on your LAN. Natively, Bonjour functions on a single subnet; Bonjour forwarding removes this limitation by forwarding the multicast DNS traffic between the client and service VLANs as  needed."

https://documentation.meraki.com/MX/Other_Topics/Configuring_Bonjour_forwarding_for_the_MX_Security_...

https://documentation.meraki.com/MX/Other_Topics/Configuring_Bonjour_forwarding_for_the_MX_Security_...

Well, the problem is solved. But I still wonder if adding other DNS configs to every individual MACs can also solve this problem. Thank you everybody!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels