Meraki

Community

Meraki Full-Stack Design Related Question - Dropping Untagged traffic

ToryDav
Building a reputation
‎Nov 29 2022 1:57 PM
‎Nov 29 2022 1:57 PM

Meraki Full-Stack Design Related Question - Dropping Untagged traffic

What concerns would you have when removing VLAN 1 entirely from a Meraki MS/MX/MR network and dropping untagged traffic across all interconnections (trunks)?

I know there are some requirements to keep VLAN 1 as native VLAN in a mixed Meraki/Catalyst/Nexus environment, so this question focuses on Meraki hardware only for discussion sake.

To meet network security best practices I often wonder, why not remove VLAN 1 from the MX, tag all the subnets across the MX LAN ports to MS switching and configure all the trunks to drop untagged traffic. 

I don't see any issue but have heard sometime dropping untagged traffic could cause problems, I just haven't seen these problems myself.
 

Thoughts? Opinions? 

0 Kudos
7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 29 2022 2:14 PM
‎Nov 29 2022 2:14 PM

Where did you hear that statement? I needed to drop in some specific cases and never had any issues.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
RaphaelL
Kind of a big deal
Kind of a big deal
‎Nov 29 2022 2:29 PM
‎Nov 29 2022 2:29 PM

STP https://documentation.meraki.com/MS/Deployment_Guides/Advanced_MS_Setup_Guide

In response to alemabrahao
ToryDav
Building a reputation
‎Nov 29 2022 3:03 PM
‎Nov 29 2022 3:03 PM

Which statement? Assuming the statement about keeping VLAN 1 - The link RaphaelL shared is it. 

I have seen issues in the field with this though - a lot of issues in mixed vendor environments due to STP where there are rapid STP Per Vlan instances of spanning tree running. 

0 Kudos
In response to ToryDav
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 29 2022 3:12 PM
‎Nov 29 2022 3:12 PM

""I don't see any issue but have heard sometime dropping untagged traffic could cause problems""

 

alemabrahao_0-1669763421502.png

despite what the documentation says I can't see this as a problem, but ok.

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
cmr
Kind of a big deal
Kind of a big deal
‎Nov 30 2022 10:10 AM
‎Nov 30 2022 10:10 AM

If you set a VLAN as native and don't include it in the trunk and do the same on a Cisco Catalyst switch at the other end, then the link will not pass the traffic in the native VLAN, I can confirm this from experience... 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to ToryDav
ww
Kind of a big deal
Kind of a big deal
‎Nov 30 2022 4:43 AM
‎Nov 30 2022 4:43 AM

the stp  is using a native vlan. So as long you make sure you never have a loop (by the network admin/user error), and dont want/use redundancy based on stp blocking on your network,  it should work. 

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 30 2022 9:28 PM
‎Nov 30 2022 9:28 PM

>What concerns would you have when removing VLAN 1 entirely from a Meraki MS/MX/MR network and dropping untagged traffic across all interconnections (trunks)?

 

This will prevent spanning tree packets from being forwarded and may result in an incorrect spanning tree being formed.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.