There is a serious lack of blog content on Meraki troubleshooting and experiences from I.T. pros in the world. So I figure why not write one of my own articles? This post is all about one specific problem my colleagues and I had with VLAN tagging on an MX80 and MS22 switch. Thanks to help from Meraki customer support, everything is back up and running as expected.
We are using a single MX80 router that has two VLANs configured, VLAN10 with subnet 192.168.10.0/24 and VLAN20 with subnet 192.168.20.0/24. All untagged traffic was assumed to be on VLAN20. This means if the network traffic is not tagged on the switch, then the router will move the traffic to VLAN20. DHCP is running on the MX80 and is configured to dish out IP addresses to each subnet accordingly. Connected to the MX80 router is one MS22 switch, with one trunk port allowing all VLANs. The first half of the ports on the MS22 switch is tagging traffic for VLAN10 with the second half of the switch ports tagging for VLAN20.
For some reason, when connecting a host to the VLAN10 switch ports, the MX80 was ignoring the VLAN tagging and assigning an DHCP address to the host from the VLAN20 scope - breaking our security model for this network. Any traffic tagged on VLAN10 should be assigned a DHCP IP address on the VLAN10 subnet correct? Well, not exactly. The problem was due to two things:
- The MX80 was configured to put untagged traffic on VLAN20.
- The Management VLAN on the MS22 was still set for VLAN 1.
In order to fix this, the solution was simple - change the management VLAN on the MS22 to VLAN 20.
A more secure option was to configure the following:
- Configure a static IP address on the MS22 switch. (This must be the first step!)
- Configure the Management VLAN on the MS22 switch to VLAN 1.
- Configure an Uplink port on the MS22 switch as a trunk port, and set it for native VLAN 1.
- Administratively deactivate the unused ports on the MS22 switch.
- Configure the MX80 to drop untagged traffic.
With this network model, all untagged traffic will be dropped. So if some yahoo decides to connect an Ethernet cable directly to an unused port on the switch, the traffic would be dropped instead of being allowed network access via VLAN 20.
Here are a few things that I have learned with this type of setup:
Configure the MS22 switch’s static IP address FIRST before you do ANYTHING ELSE. Not configuring the static IP before setting the option on the MX80 to drop untagged traffic will cause the switch to never be able to check into the Meraki Cloud Controller (MCC \ the Dashboard).
If you didn’t set the static IP first, then here is what you need to do to fix the problem:
On the MX80, change the setting for Untagged traffic to VLAN10.
Wait 2-3 minutes, then check the dashboard to see if the switch has checked in. If not, fully reset the MS22 switch from the Reset button on the front panel.
Verify that the switch has now checked into MCC.
Assign the static IP address from the dashboard under Monitor >> Switches >> Choose the switch, under status click SET IP ADDRESS.
After making the VLAN changes on the MX80 and after resetting the MS switch, note the LAN IP and its current DHCP assigned address. If you try to assign a static IP address on a DIFFERENT subnet from what DHCP has assigned the switch, the static assignment will fail (basically, the dashboard acts as if nothing has happened). Meaning if the switch is assigned an IP address of 10.10.10.10 from DHCP, and you try to assign a static IP address of 10.50.50.50, the assignment will fail. You need to make sure the switch is getting a DHCP address from the same subnet that you want to assign a static address. This is why you need to pay attention to the MX80 untagged traffic setting.
So, that is pretty much it. This issue may have been an elementary one, but it all goes back to how VLAN tagging works. I enjoy working with Meraki devices and I have a good feeling that Meraki will continue making more interesting products. As always, feel free to leave a comment below.