Meraki

Community

Management Traffic Best Practice

Solved
trunolimit
Building a reputation
‎Apr 4 2018 8:39 PM
‎Apr 4 2018 8:39 PM

Management Traffic Best Practice

On a traditional Cisco network set up, I'd have a management VLAN that is only accessible from a port on a switch in a locked network closet or through a VPN connection that only network Admins have access to. This way the management traffic never touches normal traffic. 

 

Ideally I'd set up a serial console server to which I'd have to hardwire and just access the CLI though that never even putting the management traffic on a network. 

 

Lastly I was taught that no traffic should ever be flowing on the native VLAN. all native VLAN traffic should be dropped at the router. The thinking behind this is that nothing on your network should be untagged. All traffic entering your network should be placed on a VLAN. The native VLAN should be some obscure VLAN not used. It should never be VLAN1

 

With Meraki can I have the same level of control over the management traffic? Can I have all my equipment on a Management VLAN? 

 

What's the best practice for Meraki concerning the IP addresses of their equipment?

 

Coming from the IOS world to the meraki platform is sort of like a WIndows guy moving to an OSX environment. Computing in general is universal it's the details that are different. I hope this all makes sense.  

0 Kudos
1 Accepted Solution
Uberseehandel
Kind of a big deal
‎Apr 4 2018 10:32 PM
‎Apr 4 2018 10:32 PM

It may, or may not be best practice, but I have been able to ensure that

 

  • Everything on a trunk is tagged
  • a separate management  VLAN is used
  • nothing is untagged
  • native/untagged is not used
  • unoccupied ports are disabled

 

Under certain circumstances, the controller may insist that a VLAN be assigned, in which case, I select a non-existent VLAN number, unsurprisingly, 101 is the logical selection.

 

In a world where we do not have control over all the "smart"/IoT devices in our environment, unwelcome activities are much more easily detected, in our case a VLAN turning up on an uplink, being used by a Zigbee/LTE device installed by the energy supplier.

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

View solution in original post

5 Replies 5
Uberseehandel
Kind of a big deal
‎Apr 4 2018 10:32 PM
‎Apr 4 2018 10:32 PM

It may, or may not be best practice, but I have been able to ensure that

 

  • Everything on a trunk is tagged
  • a separate management  VLAN is used
  • nothing is untagged
  • native/untagged is not used
  • unoccupied ports are disabled

 

Under certain circumstances, the controller may insist that a VLAN be assigned, in which case, I select a non-existent VLAN number, unsurprisingly, 101 is the logical selection.

 

In a world where we do not have control over all the "smart"/IoT devices in our environment, unwelcome activities are much more easily detected, in our case a VLAN turning up on an uplink, being used by a Zigbee/LTE device installed by the energy supplier.

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
In response to Uberseehandel
Adam
Kind of a big deal
‎Apr 5 2018 8:19 AM
‎Apr 5 2018 8:19 AM

You can put all your devices on a management vlan but that management vlan will need internet access so the devices can checkin to the dashboard and be managed.  There isn't much of a local managed option, so the serial/local old school way of implementing won't really work.   

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
In response to Adam
Uberseehandel
Kind of a big deal
‎Apr 5 2018 9:01 AM
‎Apr 5 2018 9:01 AM

@Adamwrote:

. . .  so the serial/local old school way of implementing won't really work.   

Nevertheless, the IT industry does this sort of thing all the time.

 

  • all those DBAs trying to manage all DBMS as if they were Oracle (which is a job creation scheme for DBAs)
  • all those Netware trained engineers trying to design and manage networks the Novell way
  • all those web developers who could understand RDBMS and reinvented the wheel, badly (NoSQL)
  • all those flawed programming/scripting languages full of faults we knew were best avoided over 50 years ago
  • All those Unix sys admins trying to manage AIX as if it were SunOS

 

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
In response to Uberseehandel
Adam
Kind of a big deal
‎Apr 5 2018 12:16 PM
‎Apr 5 2018 12:16 PM

@Uberseehandel totally not saying its the wrong way to do it.  Just that it's trying to make an old solution work with hardware that has a new approach.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
In response to Adam
Uberseehandel
Kind of a big deal
‎Apr 5 2018 12:53 PM
‎Apr 5 2018 12:53 PM

@Adam

 

I'm totally agreeing with you.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.