On a traditional Cisco network set up, I'd have a management VLAN that is only accessible from a port on a switch in a locked network closet or through a VPN connection that only network Admins have access to. This way the management traffic never touches normal traffic.
Ideally I'd set up a serial console server to which I'd have to hardwire and just access the CLI though that never even putting the management traffic on a network.
Lastly I was taught that no traffic should ever be flowing on the native VLAN. all native VLAN traffic should be dropped at the router. The thinking behind this is that nothing on your network should be untagged. All traffic entering your network should be placed on a VLAN. The native VLAN should be some obscure VLAN not used. It should never be VLAN1
With Meraki can I have the same level of control over the management traffic? Can I have all my equipment on a Management VLAN?
What's the best practice for Meraki concerning the IP addresses of their equipment?
Coming from the IOS world to the meraki platform is sort of like a WIndows guy moving to an OSX environment. Computing in general is universal it's the details that are different. I hope this all makes sense.
Solved! Go to solution.
It may, or may not be best practice, but I have been able to ensure that
Under certain circumstances, the controller may insist that a VLAN be assigned, in which case, I select a non-existent VLAN number, unsurprisingly, 101 is the logical selection.
In a world where we do not have control over all the "smart"/IoT devices in our environment, unwelcome activities are much more easily detected, in our case a VLAN turning up on an uplink, being used by a Zigbee/LTE device installed by the energy supplier.
It may, or may not be best practice, but I have been able to ensure that
Under certain circumstances, the controller may insist that a VLAN be assigned, in which case, I select a non-existent VLAN number, unsurprisingly, 101 is the logical selection.
In a world where we do not have control over all the "smart"/IoT devices in our environment, unwelcome activities are much more easily detected, in our case a VLAN turning up on an uplink, being used by a Zigbee/LTE device installed by the energy supplier.
You can put all your devices on a management vlan but that management vlan will need internet access so the devices can checkin to the dashboard and be managed. There isn't much of a local managed option, so the serial/local old school way of implementing won't really work.
@Adamwrote:. . . so the serial/local old school way of implementing won't really work.
Nevertheless, the IT industry does this sort of thing all the time.
@Uberseehandel totally not saying its the wrong way to do it. Just that it's trying to make an old solution work with hardware that has a new approach.