VLAN Best practice

Roey1984
Building a reputation

VLAN Best practice

Hey

 

We bought the MX75 for our new branch.

I want to understand, what is recommended in terms of VLAN?

our hardware is:

 

1 Unit of Meraki  MX75

2 Units of Meraki  MS120 

4 Units of Meraki MR44 Access Points.

 

Our company is SaaS-based (no internal servers at all) - all is in the cloud.

Our branch doesn`t need a separate guest network.- no guests.

50% of users work on laptops, and the rest on Workstations.

 

Is it recommended to configure 2 VLANs in the MX?

One for Management with the rest of Meraki devices?  (Switches & AP`s)

Second VLAN - for users.

 

Does that make sense?

is it a must?

I guess it will require me to log in to each device (MS \ MR)  via Dashboard and configure them a static IP? or will they get an IP from the range of the VLAN?

 

Any advice would be appreciated 

 

Thank you!

 

8 REPLIES 8
ww
Kind of a big deal
Kind of a big deal

Its not a must, but recommended

Its easy to configure  on meraki dashboard and dhcp is enabled for your vlans. Then the switches and mr can get DHCP adresses  from the mx.

 

GIdenJoe
Kind of a big deal
Kind of a big deal

Hey @Roey1984 , If indeed you only have users of one type and the count of users is not too high (lower than 200) than your design makes perfect sense.

The main considerations are as follows:
1) If you have mainly north south traffic (local to internet) and not too much traffic between VLANs then it is easiest to directly terminate your VLAN's on your MX.
2) It is always recommended to isolate your Meraki gear on separate VLAN's.  That makes firewall rules more consistent or perhaps some other functions like using the management IP's of switches and AP's on an authentication server or syslog server.  Wether you throw your switches and access points in one VLAN or in separate VLAN's is entirely up to your design.  On a personal note: if I have a customer where I want to put AP's and switches together I usually use the lower IP's for the switches and start numbering AP's from .100.  Then I also reserve some space above .200 for DHCP space.  Even if you use static IP's on your Meraki devices it is always recommended to have a small DHCP pool so if you have a new device or factory defaulted a device it can reach the cloud on it's own without your intervention to collect it's configuration.
3) Usually switches get a fixed IP in my designs but you don't have to log into each switch for that.  If they reach the cloud through the DHCP server from previous point you can configure their fixed IP from dashboard or API.  You can ofcourse stick fully to DHCP but that's entirely up to you.

I hope this helps.

Roey1984
Building a reputation

Hey Joe

 

This is my first time configuring VLANs, and want to be sure that my configuration is described correctly

I drew something, can you have a look and tell me if it seems ok?

 

Moreover, do I need to configure VLAN 1 & 2 in both Switches? or only in the MX?

I`m not sure that the cabling in the drawing is ok, if you will be able to have a look that would be awesome!Screen Shot 02-08-22 at 09.54 AM.PNG

 

KarstenI
Kind of a big deal
Kind of a big deal

Just to add to the other posts, I typically also have separate VLANs for printers, IoT and other “special” devices like door-systems and so on.

cmr
Kind of a big deal
Kind of a big deal

I think there are a lot of options and seeing the above I'd agree with @KarstenI about separating different classes of devices into individual VLANs.  As mentioned: Management, Endpoints, printers, telephony, CCTV etc.  If you only have endpoints and printers then 3 VLANs should do.

 

On the subject of static Vs DHCP we are moving towards DHCP for everything that we can, modern SIEM solutions don't need devices to have a static IP and most cloud services certainly aren't going to care!

Roey1984
Building a reputation

Hey cmr

thank you for your answer

 

As I wrote to Joe, this is the first time I`m configuring VLANs, but I`m not sure that my configuration is correct

What do you think?

I wrote 3 questions on the side of the drawing, and I`m not sure that the cabling in the drawing is ok

 

My goal is to learn as much as I can in order to be proficient in Meraki devices!Screen Shot 02-08-22 at 09.54 AM.PNG

cmr
Kind of a big deal
Kind of a big deal

@Roey1984 your setup is just about right, my comments would be:

 

  • Spread the APs between the switches so that when one reboots, you only lose half
  • you don't need to create VLANs on Meraki switches, they are already there.  You only need to create VLAN interfaces, but in your case those are on the MX75, so nothing needed.
  • With regard to the second MX link, I'm actually not sure.  One of the three switch links will go into a spanning tree blocking mode so that you don't have a loop, hopefully it will either be the link you pointed to, or the other direct link to the MX, but there is a possibility of it being the aggregated link. We only multi-link physically stacked switches to MXs so haven't experience of your exact configuration.
Roey1984
Building a reputation

Thank you CMR for you answer!

 

I still not sure regarding the link that is connected to the bottom MS switch.

We`ll have to keep on asking

 

thanks again

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels