Meraki

Community

Issues implementing VLANs on MX84

agionet
Here to help
‎Sep 18 2023 9:26 PM
‎Sep 18 2023 9:26 PM

Issues implementing VLANs on MX84

Recently inherited this network with no documentation and have no experience with Meraki or design VLANs prior to this, very limited networking experience (currently studying for my CCNA).

Currently we have an MX84 with a bunch of switches. 

The first thing I noticed that seemed odd is that every single port on every single switch is set to trunk with all VLANs allowed and a native VLAN of 1. 

I noted that our only defined VLAN for our primary LAN is ID: 10 (10.0.10.0/24). There are no static routes defined.

agionet_0-1695096946482.png

 

I tested out switching the port for my desk to an access port for VLAN 10, but this broke internet access. 

If I change the access port to VLAN 1, I can access the internet and still ping devices on the 10.0.10.0/24 subnet. 

Am I misunderstanding how this works or is something else misconfigured? Why do I need to have my access ports set to VLAN 1 when our subnet is defined on VLAN 10?

I'm also aware that using VLAN 1 is considered poor design, and would like to work towards implementing more segmentation in our network. Any thoughts on the design below would be appreciated - I'm unsure if I need to create new DHCP servers for each VLAN though or how to go about configuring DHCP in this scenario.

Proposed changes:

VLAN 90 - Management VLAN
Purpose: This VLAN will primarily be used to manage network infrastructure devices such as switches and access points - servers could also go here or be put on another dedicated VLAN.
Details:
Subnet: 10.0.90.0/24
MX IP (Gateway): 10.0.90.1
Switches IP Range: 10.0.90.2 to 10.0.90.10
Access Points IP Range: 10.0.90.10 to 10.0.90.20


VLAN 84 - MX84 Appliance VLAN
Purpose: A dedicated VLAN for the MX84 appliance to isolate it and secure the network management traffic.
Details:
Subnet: 10.0.84.0/24
MX IP (Gateway): 10.0.84.1
MX84 Appliance IP: 10.0.84.2

VLAN 30 - General Devices VLAN
Purpose: This VLAN will host general devices such as computers, printers, and other user-end devices.
Details:
Subnet: 10.0.30.0/24
MX IP (Gateway): 10.0.30.1
Reservations: 10.0.30.2 to 10.0.30.10 (for printers and other user-end devices.)
DHCP Pool: 10.0.30.10 to 10.0.30.254 (will be assigned dynamically to computers, phones etc.)

 

0 Kudos
4 Replies 4
Brash
Kind of a big deal
Kind of a big deal
‎Sep 18 2023 10:11 PM
‎Sep 18 2023 10:11 PM

The reason for the original behaviour you saw is because the ports on the MX are configured for Trunk Native VLAN 10 and Access VLAN 10 (for your environment with only the one VLAN, they are pretty much the same thing).
Your computer is on the default VLAN (VLAN 1) until it hits the MX at which it is placed onto VLAN 10.
When changing the switchport to VLAN 10, you mess up the tagging flow and your traffic is dropped.

 

VLAN segmentation is definitely the way to go.

What you've got above is a good start.

My suggestions would be:

- Keep the Management VLAN and corporate devices VLAN. I personally don't see a need for the "MX84 Appliance VLAN)
- Segment the printers and other devices to a different VLAN if possible.

- Remove the native VLAN on the MX ports and set the VLAN on the switch access ports instead

 

When making changes like this, ensure you have a decent maintenance window and have someone on-site who can connect locally to the devices should they accidentally go offline from the dashboard. For example, depending on the existing config, it's very easy to take the switch offline when changing the config on the MX.

In response to Brash
agionet
Here to help
‎Sep 18 2023 10:48 PM
‎Sep 18 2023 10:48 PM

What should the configuration of the MX lan ports look like instead?

0 Kudos
In response to agionet
Jonathan_Galvez
Here to help
‎Sep 18 2023 11:35 PM
‎Sep 18 2023 11:35 PM

Hi, it depends on...
If a MS is connected on those LAN Ports I would definitely configure a Trunk Port (with Native: Management) instead an Access Port and allow all the VLANs there.

 

0 Kudos
In response to agionet
Brash
Kind of a big deal
Kind of a big deal
‎Sep 18 2023 11:47 PM
‎Sep 18 2023 11:47 PM

The MX LAN port connecting to the switch should be a trunk port. The native vlan will typically be either the management vlan of the switch (if you haven't configured the management vlan in the switch configuration), an unused VLAN, or none.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.