- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best practices for small Meraki network
Hi everyone. In a few weeks I am going to be implementing some changes on our small school system's Meraki network. We have 5 school facilities networked together with Meraki switches and an MX at both our High School and Middle school. For starters, I am going to get Middle School vlan traffic off vlan 1 and make it a separate vlan, and then change the native vlan on all the switches at that school to match. Is it best practice to change management vlan to something besides 1 as well? If so, do I then need to go elsewhere in the Meraki dash and change other things? Lastly, do I need to create a separate "Management" vlan to tag on switches and access points? Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @JMY34
These are worth a read if you haven’t already read them:
https://www.linkedin.com/in/darrenoconnor/
I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! Will I have to add the management vlan to trunk ports on all my switches, or just specific ones? And last question, creating a vlan for management on my MX with the same number I set my management vlan in config is still necessary, correct?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @JMY34 , I’ve always used a none routable VLAN as the Native VLAN which I set across all uplink/Trunked ports across the networks. I then define a Mgmt VLAN for device/dashboard mgmt.
Others will of course have their own opinion.
https://www.linkedin.com/in/darrenoconnor/
I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting! What makes a non-routable VLAN? And once I make an mgmt VLAN, do I need to set any ports/switches to use it? Or is it automatic. Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One VLAN without a default gateway.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What advantage is there in doing it that way?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my opinion it has no advantage, there are other smarter ways to restrict access, such as restriction by ACLs, access policies via Tacacs+, and a multitude of other ways.
In your case, I think you should hire a consultancy, since you don't have mastery of technology.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How is it smarter to add additional configuration when I can simply add a vlan number as the Native, job done, no further configuration required.
https://www.linkedin.com/in/darrenoconnor/
I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using a non-routable VLAN is not the best option, it won't improve your security, ACLs aren't a guarantee either but at least you can make some restrictions.
What will guarantee the security of your network are a series of features, my favorite in particular is using authentication on the wired network, because at least that way you prevent anyone who connects a cable to your network from being able to use it.
Not even a firewall guarantees 100% security, it is enough for a user to access something improper that your entire network can be compromised.
So in my opinion, the more security features you use, the more restricted you can make your network.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have no more budget for the year, so we won't be hiring a consultancy. I have mastery of plenty of technology, just not networking yet, but that's going to change soon. Thanks for your help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You answered all your questions.
Please, if this post was useful, leave your kudos and mark it as solved.