Certain SSID traffic VLAN tagged and going out to separate MX100
I have a question about a setup that I have been tasked with completing, and just wanted to run it by everyone and maybe get some insight as to how this should be configured. I am working on a project to send the traffic from our guest wireless out to a separate MX100 with a separate WAN connection.
Here is a description that I got from a cisco tech of what needs to be configured:
• ISP1 & 2 both come into the currently deployed HA MX pair. • ISP3 will come into a new MX (new public IP address) • new MX connects down to the core using a new VLAN (for example VLAN 500) and new private IP subnet • wireless APs advertise a new SSID using bridge mode and VLAN tagging to put the SSID on VLAN 500 • intermediate switch ports/stacks are configured to trunk VLAN 500 up to the core switch • new MX is configured to run a DHCP server on VLAN 500 • clients that connect to the SSID on VLAN 500 will access the internet through the new MX and it's public IP address • clients on VLAN 500 won't be able to connect to any other VLANs unless static routes are added to each of the MX deployments
I have the MX100 connected and added to my Meraki dashboard, with a subnet created with DHCP enabled for this VLAN. I do not have the MX connected to our current network yet. The network has the SSID created and is set to tag the clients as VLAN 500.
I am wondering about the connection between our current MS425 core stack and the MX100 that is being added. I want to send only VLAN 500 traffic out a port to this separate WAN connection. I am confused as to whether I should use a trunk port or an access port between these two devices. And if i need to create an interface on the MS425 core stack or a separate static route?
Re: Certain SSID traffic VLAN tagged and going out to separate MX100
You can use either as long as the port on the MX matches the port on the switch.
I'd probably just make the switch port an access port in VLAN500. Then just configure the port on your MX as an access port in VLAN1.
If you configure trunk ports note that both the native VLAN (usually VLAN1) and VLAN500 will be allowed through. You could change the native VLAN to 500 and only allow VLAN500, but that is pretty much an access port then