Solved
@federicogalarza wrote:
I would like to know what are the best practices which you usually implement in the Meraki world.
Thanks!
Federico
The general rules I adhere to are:
- Tag all VLANs
- Set up a Management VLAN
- Set up an Isolated Guest VLAN (and SSID)
- Do not use the native LAN
- Create a faux VLAN for those cases where the configuration GUI requires a VLAN ID (make sure it goes nowhere)
- Explicitly declare the VLANs a given switch port should pass, avoid the all option on uplinks
- Make the firewall proscriptive rather than permissive.
There are some exceptions for certain network architectures, even so, they are usually very limited in scope. For example, at the moment we have a Meraki network within a third party network. The MX running the Meraki network has its WAN port on a native LAN that is connected to the LAN port of the external facing security appliance which uses PPPoE on its WAN uplink. This enables the dynamic external IP address supplied by the ISP to be passed to the MX and even to the Z3C connected to the MX.
It is simpler to set up than it is to write about it.
@uberseehandel
@PhilipDAth followup
As I am moving from the ALL VLANs allowed to specific tagging on all my switches, for the admin SSID, which I want to have access to all VLANs (I think?), if I have 4 VLANs, is this what this part of the access control panel should look like?
Followup 2 I may have answered my own question - Hmm actually all I care about on this network is it having access to the default VLAN so I can access all my wired infrastructure. So really I would only want that VLAN # under "All other APs", correct?
Followup 3 - and does it matter that the default VLAN is still VLAN ID 1 even though I changed the subnet? From your comments above you seem less vigilant about that and if its fine as is Id rather not change it.
As @PhilipDAth says leave VLAN 1, but don't use it. If something "odd" is going on, the odds are the perps will use VLAN 1 as an egress. Not using VAN 1 makes it easier to monitor attempts to penetrate the network.
Does this happen - yes. Does it all come from China - no.
@uberseehandel
@RumorConsumer wrote:@Uberseehandel but ok to have the switches hanging out on vlan 1, nothing more, yes?
It is more secure to avoid using VLAN 1 for anything. Put switches and APs on the Management VLAN, which most definitely should not be VLAN 1.
@uberseehandel
@Uberseehandel Ok. So then my question is, is it as simple as changing the VLAN ID here from 1 to some other number? And because its called Default, does that mean that all the switches recognize it as the Default VLAN? So lets say I change it to 8. I will need to add 8 to all my trunk ports on switches, but because its called Default does that mean that all my APs will automatically move to it? Thats what Im trying to figure out. VLAN 1 is just a number, but is the name Default the only thing that designated the default VLAN on a network?
Put another way, is there a way to leave my Default VLAN as 1, but then tell my switches and APs to live on another VLAN? I dont think I understand the distinction between the "default VLAN" and what makes my switches and APs fetch an IP from a particular VLAN/subnet combo.
I must have expressed myself poorly.
I always ensure that the options of ALL and DEFAULT are not used.
It doesn't matter what the default network is, avoid using it. The entire concept of a default value is insecure, inherently.
As far as the example you have given is concerned, I'd observe:
- Why call a VLAN Default (is it a mistake)?
- Why give the VLAN 192.168.3.0/24 an ID of 1?
You don't need a default VLAN. If you need to enter a VLAN value, when it is not required, use 101 (think about it).
Always reference VLANs explicitly, not generically. Refer to them by their unique VLAN ID. Individually declare the VLANs to be passed by a trunk port. Declare the specific VLAN ID on access ports.
@uberseehandel
The switches and APs are on the Management VLAN. They get their IP address from the Management VLAN DHCP server on the MX.
@uberseehandel
@Uberseehandel OK I think I figured it out. Tell me if I got this right. To make a management VLAN, Id create another VLAN (lets say VLAN 5), and then I would change this:
I would select VLAN 5 from the "native VLAN" dropdown. This would tell anything connected at Layer 2 to join that VLAN. Then I would change ALL VLANs under "allowed" to the ones needed over each trunk port. I think thats the piece I was missing - to change the native VLAN on the wired ports.
What you are proposing looks very like what I have, so I suggest you proceed. Don't forget to explicitly declare the VLANs to be passed on the uplinks, and to pass the Management VLAN ID as well as the SSID VLAN IDs to the access points.
@uberseehandel
@federicogalarza wrote:
I would like to know what are the best practices which you usually implement in the Meraki world.
Thanks!
Federico
The general rules I adhere to are:
- Tag all VLANs
- Set up a Management VLAN
- Set up an Isolated Guest VLAN (and SSID)
- Do not use the native LAN
- Create a faux VLAN for those cases where the configuration GUI requires a VLAN ID (make sure it goes nowhere)
- Explicitly declare the VLANs a given switch port should pass, avoid the all option on uplinks
- Make the firewall proscriptive rather than permissive.
There are some exceptions for certain network architectures, even so, they are usually very limited in scope. For example, at the moment we have a Meraki network within a third party network. The MX running the Meraki network has its WAN port on a native LAN that is connected to the LAN port of the external facing security appliance which uses PPPoE on its WAN uplink. This enables the dynamic external IP address supplied by the ISP to be passed to the MX and even to the Z3C connected to the MX.
It is simpler to set up than it is to write about it.
@uberseehandel
Hello RumorConsumer,
I think what you were missing was the Management VLAN setting.... Navigate to Switch -> Switch Settings, at the top you define the Management VLAN. All your APs and Switches will try to grab an address from this VLAN.
@CharlesIsWorkin wrote:. . .
I was wondering if you would use your Management VLAN (changed from VLAN 1) as the native VLAN on Trunks for between switches?
Also, would you use the trunks native vlan to be the management vlan when connecting to a server with a virtual switch in it?
I believe it is more secure to avoid using a native VLAN on trunks and to explicitly list the VLAN traffic to be passed. In some instances, the software will require that a native VLAN be entered; if this occurs, then enter the VLAN ID of a non-existent VLAN. For fairly self-evident reasons I choose to use VLAN 101 (aka Room 101).
@uberseehandel
I do not add the native VLAN to anything. To do so risks giving spurious legitimacy to wild-weasel packets.
@uberseehandel
Ok, I can google it later. So if it is not the native VLAN that determines what subnet/IPs your switches and APs lease from, how do you determine what subnet they belong to?
A DHCP server is configured for each VLAN. Access ports (as opposed to Trunk ports) have a VLAN, a device connected to a port or a WiFi AP will be issued with an appropriate IP.
@uberseehandel
@RumorConsumer wrote:understood, but from what i understand you wont be using access ports to connect to switches and APs as they themselves will be carrying several VLANs. I thought they all should be trunk ports carrying all needed VLANs. Only supplying a switch with one VLAN seems antithetical to the notion.
Connections between
- gateways and switches
- switches and switches
- switches and Wi-Fi access points
are effected by using trunk ports, with no native VLAN and the VLANs required to be passed are explicitly declared. This is illustrated in my earlier post which included a screen shot of Switch Port The Gimp / 10
There is no point in only passing a single VLAN to a switch, because that VLAN would have to be the Management VLAN and non-management traffic would not pass.
Look more closely at all the screen shots I have posted you will see how this works.
@uberseehandel
