Meraki Full-Stack Design Related Question - Dropping Untagged traffic

ToryDav
Building a reputation

Meraki Full-Stack Design Related Question - Dropping Untagged traffic

What concerns would you have when removing VLAN 1 entirely from a Meraki MS/MX/MR network and dropping untagged traffic across all interconnections (trunks)?

I know there are some requirements to keep VLAN 1 as native VLAN in a mixed Meraki/Catalyst/Nexus environment, so this question focuses on Meraki hardware only for discussion sake.

To meet network security best practices I often wonder, why not remove VLAN 1 from the MX, tag all the subnets across the MX LAN ports to MS switching and configure all the trunks to drop untagged traffic. 

I don't see any issue but have heard sometime dropping untagged traffic could cause problems, I just haven't seen these problems myself.
 

Thoughts? Opinions? 

7 REPLIES 7
alemabrahao
Kind of a big deal
Kind of a big deal

Where did you hear that statement? I needed to drop in some specific cases and never had any issues.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ToryDav
Building a reputation

Which statement? Assuming the statement about keeping VLAN 1 - The link RaphaelL shared is it. 

I have seen issues in the field with this though - a lot of issues in mixed vendor environments due to STP where there are rapid STP Per Vlan instances of spanning tree running. 

alemabrahao
Kind of a big deal
Kind of a big deal

""I don't see any issue but have heard sometime dropping untagged traffic could cause problems""

 

alemabrahao_0-1669763421502.png

despite what the documentation says I can't see this as a problem, but ok.

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
cmr
Kind of a big deal
Kind of a big deal

If you set a VLAN as native and don't include it in the trunk and do the same on a Cisco Catalyst switch at the other end, then the link will not pass the traffic in the native VLAN, I can confirm this from experience... 

ww
Kind of a big deal
Kind of a big deal

the stp  is using a native vlan. So as long you make sure you never have a loop (by the network admin/user error), and dont want/use redundancy based on stp blocking on your network,  it should work. 

PhilipDAth
Kind of a big deal
Kind of a big deal

>What concerns would you have when removing VLAN 1 entirely from a Meraki MS/MX/MR network and dropping untagged traffic across all interconnections (trunks)?

 

This will prevent spanning tree packets from being forwarded and may result in an incorrect spanning tree being formed.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.