Recently inherited this network with no documentation and have no experience with Meraki or design VLANs prior to this, very limited networking experience (currently studying for my CCNA).
Currently we have an MX84 with a bunch of switches.
The first thing I noticed that seemed odd is that every single port on every single switch is set to trunk with all VLANs allowed and a native VLAN of 1.
I noted that our only defined VLAN for our primary LAN is ID: 10 (10.0.10.0/24). There are no static routes defined.
I tested out switching the port for my desk to an access port for VLAN 10, but this broke internet access.
If I change the access port to VLAN 1, I can access the internet and still ping devices on the 10.0.10.0/24 subnet.
Am I misunderstanding how this works or is something else misconfigured? Why do I need to have my access ports set to VLAN 1 when our subnet is defined on VLAN 10?
I'm also aware that using VLAN 1 is considered poor design, and would like to work towards implementing more segmentation in our network. Any thoughts on the design below would be appreciated - I'm unsure if I need to create new DHCP servers for each VLAN though or how to go about configuring DHCP in this scenario.
VLAN 90 - Management VLAN
Purpose: This VLAN will primarily be used to manage network infrastructure devices such as switches and access points - servers could also go here or be put on another dedicated VLAN.
MX IP (Gateway): 10.0.90.1
Switches IP Range: 10.0.90.2 to 10.0.90.10
Access Points IP Range: 10.0.90.10 to 10.0.90.20
VLAN 84 - MX84 Appliance VLAN
Purpose: A dedicated VLAN for the MX84 appliance to isolate it and secure the network management traffic.
MX IP (Gateway): 10.0.84.1
MX84 Appliance IP: 10.0.84.2
VLAN 30 - General Devices VLAN
Purpose: This VLAN will host general devices such as computers, printers, and other user-end devices.
MX IP (Gateway): 10.0.30.1
Reservations: 10.0.30.2 to 10.0.30.10 (for printers and other user-end devices.)
DHCP Pool: 10.0.30.10 to 10.0.30.254 (will be assigned dynamically to computers, phones etc.)
The reason for the original behaviour you saw is because the ports on the MX are configured for Trunk Native VLAN 10 and Access VLAN 10 (for your environment with only the one VLAN, they are pretty much the same thing). Your computer is on the default VLAN (VLAN 1) until it hits the MX at which it is placed onto VLAN 10. When changing the switchport to VLAN 10, you mess up the tagging flow and your traffic is dropped.
VLAN segmentation is definitely the way to go.
What you've got above is a good start.
My suggestions would be:
- Keep the Management VLAN and corporate devices VLAN. I personally don't see a need for the "MX84 Appliance VLAN) - Segment the printers and other devices to a different VLAN if possible.
- Remove the native VLAN on the MX ports and set the VLAN on the switch access ports instead
When making changes like this, ensure you have a decent maintenance window and have someone on-site who can connect locally to the devices should they accidentally go offline from the dashboard. For example, depending on the existing config, it's very easy to take the switch offline when changing the config on the MX.
The MX LAN port connecting to the switch should be a trunk port. The native vlan will typically be either the management vlan of the switch (if you haven't configured the management vlan in the switch configuration), an unused VLAN, or none.