cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3284
Views
0
Helpful
7
Replies

Network change DHCP and routing question.

Arjan Sinnige
Level 1
Level 1

Hi all and thx for reading,

I made a quick picture of our current situation A. We have a Meraki MX100 which does all the routing/firewall stuff, but we find that it lacks throughput when routing inside our own network. It seems to bog down on speed when transferring large files and media from workstations to servers. (Which is our direct business)

I was thinking of making the switches do the routing instead. But Thinking about it and doing some small tests, I think what I originally planned to do, Situation B, won't work, but I am not sure. As both the switch and MX100 contain all VLANS and route. I am afraid of multiple paths to original sender that would ruin the situation.

Normal/best option of course would be to do Situation C, where I would move all Services off the MX100 and just use it as a firewall / nat device.

Any suggestions/observations ? Did you miss some info ? Please ask as I am going to do some testing, but situation C requires a lot of extra work (Complete reconfiguring on MX100 and setting up a DHCP server). Situation B just requires to swap IP addresses on the MX100 to the switch and create new ones for the MX100.

1 Accepted Solution

Accepted Solutions

Hi -

Any asymmetric traffic going across a firewall will be dropped in normal configurations.  This is because the firewall expects to see the entire conversations, not just half of them.

Option C was always your best bet.

PSC

View solution in original post

7 Replies 7

Sam Smiley
Level 3
Level 3

Given that the switch is a 2960X you only really have option B since the 2960X is only a L2 switch. In order to implement  option C you would need a L2/L3 switch. The simplest configuration would be simply add interVLAN routing to the 2960 stack and update the gateway in the DHCP scopes. This would at least take the L3 load off of the Meraki.

Cheers,

Sam

This Saturday night I tried to implement Option B.

InterVLAN routing between my own networks worked. (2960X has LAN-base) And interVLAN routing on the 2960X is definitely faster than routing on the MX100. Even with 8 ACLs on every subnet. 

But I could not get them to pass traffic beyond the MX100 and get a message back.

I created a static route 0.0.0.0 0.0.0.0 10.31.4.2 on the switch pointing to an address on the Meraki and expected the message to be delivered back since all internal networks were directly connected on the Meraki. But it did not work. I do not exactly understand why though. Only things I could think of is that the firewall in the Meraki discards it or that it would require dynamic routing with vrf/pbr.

Does anyone know why it is a problem for a packet to be sent out on thru 1 VLAN and return via another ? Maybe it is a NAT issue that the Meraki MX100 has different NAT tables for each VLAN ?

So I killed my config and went for option C. Had to setup a DHCP server since the Meraki can't do it anymore. (Networks are not directly connected anymore) But on the bright side it works without any routing issues.

Only issue for me now is that the Meraki tracks clients by MAC address and since there is now a router in between, it no longer sees them. I need to set the Meraki to track by IP address but unfortunately I cannot do that either without unlinking the network from the rest. It gives me the following error : "Tracking clients by IP addresses is not supported in a combined network and will break client tracking data."  I'll have to talk to the global administrator for our network to get that done.

Looks like I will have to live with what I have got. Unless I can get my boss or global IT administrator to give me a proper core switch. Unless you guys knows why option B did not work.

Hi -

Any asymmetric traffic going across a firewall will be dropped in normal configurations.  This is because the firewall expects to see the entire conversations, not just half of them.

Option C was always your best bet.

PSC

I got lucky. Seems there is a redundant 3650 in our branch in Barcalona, that the global it guy will send me. As long as it has IPbase, that should be enough right ?

seems i can stick with option A after all.

Hi -

Yes. IP Base is enough for the setup you show in the diagrams of the original query.

Paul Chapman
Level 4
Level 4

Hi Arjan -

I'm not sure if option B is feasible.  The last I knew is that the Meraki firewall could only provide DHCP services for directly connected subnets.  Let me know if I'm wrong.

Option C is generally the best option.  Once again, we have a feasibility issue with the platform that you are using.  At best the 2960 will support routing to directly connected subnets, but it's not a full featured L3 switch.  It is likely though that you will get significantly better performance.

To really get into option 3, I recommend putting your inter-VLAN routing on either a Catalyst 3560X or a Meraki MS225.

PSC

jhontoc24
Level 1
Level 1

for me letter A, because letter C doesn't allow in the Meraki MX to attach group policy for all your VLANs.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco