GX20 + GR10 VLAN question

ErikWie
Conversationalist

GX20 + GR10 VLAN question

I got a GX20 and a GR10, I have set up 2 wifi's on two different vlans (default 1 and 300).
From the Wifi on VLAN 300 I'm able to reach devices on VLAN 1.

As far as I understand the documentation all ports on the GX20 is set to trunk all VLANs, so the GR10 is presented with all VLANs.

But as far as I understand networks I can't figure out why I can crossreach between the VLANs unless there is a setting somewhere I havn't found yet that alows for this.

Is there anyone that can help me on this or do I need to get a GS switch aswell to get this to work.

I just want to segment the network do that the homeoffice is seperated of the home network while both should go thru the umbrella. 

16 Replies 16
VeryFatBoy
Here to help

I only have a GX20 but did investigate VLANs. It seems that, at the moment, the level of configuration on the GX20 is very basic.

 

I believe the Meraki Enterprise products provide more VLAN configuration and network isolation.

 

There is an example in the documentation, but I cannot test it as I don't have all the hardware:

 

Meraki Go - VLAN Configuration

hidden0
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Hello @ErikWie,

 

The default GX port config is to trunk all VLANs with native VLAN set to 1. If you would like to confirm (or change) the GX LAN port configuration/s, you can do so from the local status page on the device:

https://documentation.meraki.com/Go/Meraki_Go_-_Local_Status_Page

 

The only setting that jumps to mind that would prevent this outside of port configuration would be "Guest Mode" on the wireless network.

 

You can check for this setting in the Meraki Go app under Networks > [Network Name]. Be sure to set Guest Mode to off to allow traffic to pass between VLANs. 

 

If you still face problems after both of these steps, just let us know here or by opening a support case for our team to take a look.

 

I tested this on my lab deployment to be sure it works without issue. 
Thank you for jumping in as well @VeryFatBoy, the help is always appreciated.

ErikWie
Conversationalist

@hidden0 


@hidden0 wrote:

Hello @ErikWie,

 

The default GX port config is to trunk all VLANs with native VLAN set to 1. If you would like to confirm (or change) the GX LAN port configuration/s, you can do so from the local status page on the device:

https://documentation.meraki.com/Go/Meraki_Go_-_Local_Status_Page

Please elaborate what you mean by this.

I quote the GX20 Vlan config documentation "The GX LAN ports default to Trunk Mode with Allowed VLANs set to all." And that is what I expirience, the ethernet port on GX20 that has the GR10 connected presentes both VLAN 1 and VLAN 300 to the GR10 Access Point
https://documentation.meraki.com/Go/Meraki_Go_-_VLAN_Configuration

On the Local Status Page I'm not able to find any where that I can do any vlan changes to the ethernet ports, I can enable/disable and I can set Link Negotiation.


@hidden0 wrote:

 

The only setting that jumps to mind that would prevent this outside of port configuration would be "Guest Mode" on the wireless network.

 

You can check for this setting in the Meraki Go app under Networks > [Network Name]. Be sure to set Guest Mode to off to allow traffic to pass between VLANs. 

 

If you still face problems after both of these steps, just let us know here or by opening a support case for our team to take a look.


The Guest network way will give me what I search regarding the wifi, but that I could do without buying any Meraki gear. I want to make this work with the Meraki equipment, wifi and ethernet.
Even Small businesses that is the target market for Meraki GO have needs for segmentation on the network, if the GX20 can't give that I think they have failed at their primary market.

If I need to buy a GS I will do so, but I just wanted to verify that you actually have to buy a GS to get vlan segmenting to work. OR if there was a way to do ut without spening even more money on another piece of hardware to be able to segment the network.

AnGr
Conversationalist

Are you looking for the ability to set a VLAN ID for an ethernet port on the GX20? I think you can find it by clicking the port (or all ports), then the port you want to set, then the Settings button in the upper right corner of the screen?

 

My question, maybe related, is how do you assign a given Wi-Fi network SSID to a specific VLAN? I don't see an equivalent Settings option for my SSIDs.

AnGr
Conversationalist

Make sure you have the latest mobile app. iOS app release notes from 2 days ago includes VLAN stuff.

AnGr
Conversationalist

After adding 2 more Wi-Fi networks, I see vlan tagging in the advanced settings of my 3rd and 4th networks. My first 2 Wi-Fi networks do not present vlan tagging in advanced settings.

ErikWie
Conversationalist

@AnGr 

I got 3 wifi net.

Guest wifi, Home wifi, Work wifi

The Guest wifi is default config
Home wifi is default VLAN 1

Work wifi is VLAN 300

 

VLAN 1 has the default IP range 192.168.128.0/24
VLAN 300 has the ip range 192.168.129.0/24

I also have ethernet devices (not wifi) that need to be seperated aswell.

Devices on a VLAN should not be able to reach devices on another VLAN unless there si a firewall opening for it.
I am fully enabled to access all devices on both VLAN across.

That is the issue.

AnGr
Conversationalist

@ErikWie 

 

Your setup sounds very similar to mine. I’m upgrading from a UniFi system, which offers the ability to customize the firewall in many ways, but I don’t see those options in Go. While far more customizable, UniFi is frustrating for other reasons.


The vlan documentation may offer some guidance, but I can’t reliably get the vlan settings to show up for my networks. This might help if you can get it to display for you:

 

The GX LAN ports default to Trunk Mode with Allowed VLANs set to all. Once you have created this VLAN above, it will become available on the LAN ports for downstream devices to use (like your GR guest network).”

hidden0
Meraki Alumni (Retired)
Meraki Alumni (Retired)

I understand where you are coming from now, @AnGr. Let me see if I can provide a better answer given that information.

 

The Guest Mode toggle on any wifi network automatically creates layer 3 firewall rules that deny traffic to or from any private network address ranges such as 192.168.128.0/24, or 192.168.129.0/24. I would expect any devices connected to the guest network to be unable to communicate with each other (so long as Guest Mode is enabled).

 

The ability to define layer 3 firewall rules on the GX, now that VLANs can be managed on the hardware, is one of our upcoming feature releases. The approach will redefine our network creation flow, and allow you to Secure or Restrict a VLANs ability to communicate with other networks that are reachable via the GX. Do you see yourself needing to control what VLANs need access to which, or would a blanket "block all LAN access" policy (like Guest mode) do the trick?

ErikWie
Conversationalist


@hidden0 wrote:

I understand where you are coming from now, @AnGr. Let me see if I can provide a better answer given that information.

 

The Guest Mode toggle on any wifi network automatically creates layer 3 firewall rules that deny traffic to or from any private network address ranges such as 192.168.128.0/24, or 192.168.129.0/24. I would expect any devices connected to the guest network to be unable to communicate with each other (so long as Guest Mode is enabled).

 

The ability to define layer 3 firewall rules on the GX, now that VLANs can be managed on the hardware, is one of our upcoming feature releases. The approach will redefine our network creation flow, and allow you to Secure or Restrict a VLANs ability to communicate with other networks that are reachable via the GX. Do you see yourself needing to control what VLANs need access to which, or would a blanket "block all LAN access" policy (like Guest mode) do the trick?


@hidden0 

Creating a Wifi "home" at the default VLAN 1 and toggle a Guest mode on that Wifi will give me a result that is doing what I need for wifi. I can use the guest mode as "work" wifi.
Then noone on the home "wifi" should be able to reach the "work" wifi, but that still leaves me with the issue of VLAN segmenting on ethernet.

On the second part, a "block all LAN access" policy on port level will do the trick for my on my case, but for a small business aspect, not beeing able to have the ability to set exception rules, in a example, sending logs from one zone to a logserver in another zone while blocking all other traffic would not be good.

Is there a estimated time on possible feature release?
If I get a GS-110-8P will I then be able to isloate the VLANs and have an ability for exception rules?

hidden0
Meraki Alumni (Retired)
Meraki Alumni (Retired)

@ErikWie I stand corrected. The GX does not allow you to change the VLAN configuration on the local status page as the GS does. My apologies. 

 

The default configuration is definitely Trunk mode allowing all VLANs with a native VLAN set to 1. Any change to this setting will have to be made via the Meraki Go app.

popshellz
New here

Is there a date when layer 3 firewallwall rules creation will be enabled on the GX?.

 

 Theoretical use case:  I have a home network with GX as dhcp server for 2 diff vlans  (home and IOT

)and GR in bridge mode  assigning vlan tags via ssid.

 

Globally, I would like neither vlan to be able to speak to each other but explicitly allow a single device in the HOME network to reach devices in the IOT network only on a specific tcp port. 

 

In the future releases will meraki GX be able to have this functionality and when?

 

From what I understand ,current GX functionality allows traffic between vlans by default and the only other option is to enable guest mode which blocks traffic even between host in the same vlans. Correct me if I'm wrong  but neither function fully presents a solution to PCI concerns , shouldnt this have been a forethought when it comes to marketing a product to small businesses?...layer3/4 firewall manageability would be great

hidden0
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Hey @popshellz!

 

We are working on an isolation feature which will automatically create L3 firewall rules on the GX. Similar to enabling guest mode on a wireless network, an option will be available to "Secure" a wired network (or a VLAN) on the GX. This will deny any traffic to/from the network in question to other networks routed by the GX. I don't have an ETA on this feature as of today, but it is on the way.

 

The granular permissions you seek beyond this automatic firewall creation are also being discussed but still have a lot of work to be done.

 

I know this isn't necessarily the answer you'd like to hear, but I did want to let you know we are aware of the need for this capability and it is certainly in the works.

DarklightRanger
Conversationalist

Hey @hidden0

 

Just came across this thread and would like to add a +1 for adding more granular inter-VLAN firewall rules as well. They would be useful in helping segment IoT networks in smart home/office configurations from the main user network.

 

I'd also like to see the ability to restrict outbound internet usage on an individual VLAN basis for the same reason of segmenting IoT traffic as much as possible.

CaptainMango
Conversationalist

Hi,

I also would like to add a +1 fore more granular VLAN firewall rules. I understand that the VLANs already can be "secured" at this point, I think however it would make sense to add the possibility to configure more specific rules (e.g. VLAN 1 can interact with 2 and 3 but 2 and 3 cant interact with each other). 

What I also would like to point out is, that there is already a feature to block specific devices from wireless networks. I really don't understand why this is not possible for wired networks as well.  

speakerfritz
A model citizen

I had a version of this problem

tried to use 2 ap’s as mesh gateways with the firewall.

 

didn’t work very well

 

with out a switch had to use NAT on AP’s

 

doable NATing turned one network into 2

 

bought the switch and put the APs in bridge mode

 

2 networks became one

 

all iswell

 

 

Get notified when there are additional replies to this discussion.