Default untagged vlan 1 Management on MS switches

ToryDav
Building a reputation

Default untagged vlan 1 Management on MS switches

Hi All,


I just would like to clarify something regarding the default VLAN 1 management traffic MS switches use.

If my MS switch has a routed port upstream with a default gateway (untagged traffic) then I am forced to use VLAN 1?

Changing to for example vlan 10 on my LAN IP of the switch (and changing the VLAN tag in switch -> settings); and putting the uplink on an access vlan 10 port isn't going to work right?

Trunking/tagging for management in my case isn't possible because the port upstream used for management is a routed only port.

Are we really stuck with VLAN 1 for MGMT in this case?

7 REPLIES 7
alemabrahao
Kind of a big deal
Kind of a big deal

No, you can use any other VLAN for management without problems.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

By default, the switch will try to contact Meraki Dashboard on the untagged (native) VLAN. Alternately, you can specify the management VLAN under Configure > Switch settings. This allows the switch to reach the internet via a trunk port. 


If you change the management VLAN and the switch can no longer obtain a DHCP lease or reach Meraki Dashboard, the switch will revert to its previous management VLAN configuration.


If your network does not allow the native VLAN or any of the default VLANs to DHCP or connect to the internet, you will need to manually assign a management VLAN. To do this, place the switch on a network running DHCP, then from dashboard navigate to Monitor >> Switches and select the target switch. From the details page, choose "Set IP Address" and save your changes.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ToryDav
Building a reputation

Thats what I understand too, however, In this case a static IP was set in VLAN 10 on the switch, the Switch -> switch settings page was also set to match (VLAN 10), however as soon as this was done the switch went down in the dashboard.

The upstream port was set as switchport access vlan 10 or trunk with native vlan 10, it would not come up using that VLAN, so it seemed as though the traffic was being tagged (and dropped).

Using the same IP and VLAN 1 did the trick and it comes right up which was a bit odd.

ToryDav
Building a reputation

And to be clear the vlan doesn't exist, upstream is entirely Layer 3.

We are just setting VLAN 10 for management to avoid using default VLAN 1.

My understanding is that once you insert the vlan tag into the box shown below, isn't that traffic tagged with that VLAN ID? This is a required field, so traffic is always tagged unless using default vlan 1, is that not true?

ToryDav_1-1670611820871.png

 

 

alemabrahao
Kind of a big deal
Kind of a big deal

I know it's not the best solution in the world, but if in the panel you leave the management VLAN as 1 and in the uplink port set to trunk with the native VLAN in any other, it would not solve your case, since it is not possible "create" or "remove" VLANs in Meraki?

 

alemabrahao_0-1670612019922.png

 

 

alemabrahao_1-1670612097755.png

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ToryDav
Building a reputation

🤔Perhaps it might

GIdenJoe
Kind of a big deal
Kind of a big deal

Important stuff to tell here:

 

- The switches ALWAYS have a certain VLAN that is used for management even if you leave the box blank.

- If that VLAN is tagged or untagged solely depends on how your uplink port is configured.

 

To elaborate on both points:

You have a configurable management VLAN setting on the Switch -> Switch settings page.  This defaults to VLAN 1 and this is used if no VLAN is configured on the switch IP configuration tab.  So basically if you put VLAN 10 in the box on the switch itself but you put VLAN 5 as management VLAN on the main switch settings page that switch will use VLAN 10 for management.  If you leave the box blank it will use VLAN 5 because that is the default now.

 

So you have to make sure your trunk port leading towards the internet has the correct tagging or untagging of the management VLAN.

 

This behavior is different for switches than endpoints like camera's and access points where leaving the uplink VLAN empty DOES mean untagged.

Get notified when there are additional replies to this discussion.