1 Rookie
•
10 Posts
0
1298
February 24th, 2022 13:00
S series OS10 Switches and CIsco Meraki Firewall, L3 Vlans can't see gateway
Hi,
Sorry, but its been 12 years since I've built a totally new network, so perhaps I'm just being stupid.
FIrst: here is my setup:
I'm replacing a largely obsolete network which has been hacked together for the last 20 years with a new paralell network based on S- series switches with core and internal routing being handled by an S5232F-ON with mostly S-5148F-ON on the edge.
I have 3 Vlan's (15,25,35) and all are assigned IP's only on the S5232F of 192.168.15.1, ...25.1. ....35.1.
35 is for my servers and is my gateway L3. all of the S5148 and a few others are connected via 100G trunk's to the S5232. DHCP for this network is a ADDC at 192.168.35.10. All this seems to be working fine. The machines on VLAN25 see and receive dhcp from the machines on VLAN35 just fine.
I have a Legacy Cisco MX-250 Meraki Cloud controlled appliance which is being used as a router for the existing legacy network as well as a gateway to the internet.. That network, which includes Nseries Dell Switches, is functioning as expected.
MY PROBLEM: I have one port ( 1/1/1:1) on the S5232F setup as a trunk allowing Vlan 35 into the Meraki. On the Meraki. the Meraki, (which has no command line) is set to allow all VLAN's on this trunk port and has an L3 address of 192.168.35.248. And a nateive vlan of 1
On the S5232F, I have a route of “ ip route 0.0.0.0/0 192.168.35.254 “. The Meraki is acting as a internet gateway, for the legacy network and hopefully also for this new network.
All machines on vlan 35 can reach all machines on the Legacy Network and the Internet via the Meraki Trunk port. All machines on the Legacy network can reach all machines on Vlan 35. Machines on VLAN 25, which at the moment is the only other Vlan with any machines on it, can reach all addresses on VLAN35, except the 192.168.35.254 on the meraki. I setup a static route on the meraki to 192.168.25.0/24 via 192.168.35.254 and machines on the Legacy Network can now ping addresses on Vlan 25 .
Question: Why can only Vlan 35 reach the external networks and internet, and how do I fix it?
S5232F-ON relevant config:
! Version 10.5.2.7
! Last configuration change at Feb 24 21:18:57 2022
!
ip vrf default
!
interface breakout 1/1/1 map 10g-4x
interface breakout 1/1/2 map 100g-1x
………………………..
iscsi target port 860
iscsi target port 3260
system-user linuxadmin password ****
hostname coresw001
username admin password **** role sysadmin priv-lvl 15
aaa authentication login default local
aaa authentication login console local
!
class-map type application class-iscsi
!
policy-map type application policy-iscsi
!
interface vlan1
no shutdown
!
interface vlan15
vlan-name AdminDevices
description vlan15
no shutdown
ip address 192.168.15.1/24
ip helper-address 192.168.35.10
!
interface vlan25
vlan-name AudiosDatNetwork
description vlan25
no shutdown
ip address 192.168.25.1/24
ip helper-address 192.168.35.10
!
interface vlan35
description Servers
no shutdown
ip address 192.168.35.1/24
!
……………………………………
!
interface mgmt1/1/1
no shutdown
no ip address dhcp
ip address 192.168.50.210/24
ipv6 address autoconfig
!
interface ethernet1/1/1:1
description "Uplintk to MX-250"
no shutdown
switchport mode trunk
switchport trunk allowed vlan 25,35
flowcontrol receive off
!
……………..
!
interface ethernet1/1/31
no shutdown
switchport mode trunk
switchport trunk allowed vlan 15,25,35,45,55,65
flowcontrol receive off
!
interface ethernet1/1/32
no shutdown
switchport mode trunk
switchport trunk allowed vlan 15,25,35,45,55,65
flowcontrol receive off
!
…………………….
!
ip route 0.0.0.0/0 192.168.35.254
!
snmp-server contact "Contact Support"
!
S5148F-ON config:
! Version 10.4.3.8
! Last configuration change at Feb 17 02:39:49 2022
!
ip vrf default
!
interface breakout 1/1/49 map 100g-1x
interface breakout 1/1/50 map 100g-1x
interface breakout 1/1/51 map 100g-1x
interface breakout 1/1/52 map 100g-1x
interface breakout 1/1/53 map 100g-1x
interface breakout 1/1/54 map 100g-1x
hostname edgesw002
system-user linuxadmin password $6$5DdOHYg5$JCE1vMSmkQOrbh31U74PIPv7lyOgRmba1IxhkYibpp
MXs1KM4Y.gbTPcxyMP/PHUkMc5rdk/ZLv9Sfv3ALtB61
iscsi enable
iscsi target port 860
iscsi target port 3260
username admin password $6$q9QBeYjZ$jfxzVqGhkxX3smxJSH9DDz7/3OJc6m5wjF8nnLD7/VKx8SloIh
p4NoGZs0I/UNwh8WVuxwfd9q4pWIgNs5BKH. role sysadmin priv-lvl 15
aaa authentication login default local
aaa authentication login console local
!
class-map type application class-iscsi
!
policy-map type application policy-iscsi
!
interface vlan1
no shutdown
!
interface vlan15
no shutdown
!
interface vlan25
no shutdown
!
interface vlan35
no shutdown
………….
!
interface mgmt1/1/1
no shutdown
no ip address dhcp
ip address 192.168.50.212/24
ipv6 address autoconfig
!
interface ethernet1/1/1
no shutdown
switchport mode trunk
switchport trunk allowed vlan 15,25,35,45,55,65
flowcontrol receive on
!
interface ethernet1/1/2
no shutdown
switchport access vlan 25
flowcontrol receive on
!
………………………
!
interface ethernet1/1/54
no shutdown
switchport mode trunk
switchport trunk allowed vlan 15,25,35,45,55,65
flowcontrol receive on
!
support-assist
snmp-server contact "Contact Support"
Bruce Dobrin
1 Rookie
•
10 Posts
0
March 2nd, 2022 10:00
Turned out to be my fault, as I expected. The vlan25 static route on the meraki was pointed to the meraki interface address (..35.254) rather than the one on the dell core sw (...35.1).
Thanks for helping me narrow this down
DELL-Josh Cr
Moderator
•
9.2K Posts
0
March 2nd, 2022 10:00
Glad you got it resolved. Let us know if you have any additional questions.
Bruce Dobrin
1 Rookie
•
10 Posts
0
February 24th, 2022 17:00
SOrry, on My original Post, I have a typo, My Meraki vlan35 trunk port address is 192.168.35.254, NOT .248.
DELL-Josh Cr
Moderator
•
9.2K Posts
0
February 24th, 2022 18:00
Hi,
It seems like the switches are configured correctly since VLAN 25 and 35 can communicate fine except for that one port. You may want to set up port monitoring and use wireshark to see where the vlan 25 data is getting dropped. Page 714 https://dell.to/3LXL5Tg
Bruce Dobrin
1 Rookie
•
10 Posts
0
February 25th, 2022 16:00
THanks Josh for your reply, I hoped the running config would be a clue, as I don't have a free rj45 transceiver for the monitoring port and am out of machines with SFP+ for the monitor machine. is there an on-switch way to scan the ports? I thought it might be my config config as I had a similar issue with a trunk port on an edge switch to a questionable Netgear switch, but assumed it was the switch. I'll need to work on the Monitoring monday and see if I can find a solution to that.
Bruce Dobrin
1 Rookie
•
10 Posts
0
February 25th, 2022 18:00
OK, so I found a Cisco firmware Transceiver that seemed to work on the Dell S5232, and the capture; if I'm reading it correctly, seems to show that a ping to the address on the Cisco is getting to the ciscoMeraki port and then stopping.:
54 7.577506 192.168.25.100 192.168.35.254 ICMP 102 Echo (ping) request id=0x651c, seq=180/46080, ttl=63 (no response found!)
Ethernet II, Src: Dell_b8:8c:06 (1c:72:1d:b8:8c:06), Dst: CiscoMer_10:a7:7f (98:18:88:10:a7:7f)
Pings from outside, via that port are fine:
55 8.164798 192.168.50.44 192.168.25.100 ICMP 102 Echo (ping) request id=0x0113, seq=11/2816, ttl=128 (reply in 56).
I guess this all points to the Meraki stopping the outgoing, so Monday I'll assume that is the place to start.
THanks
-Bruce