VLAN hygeine

RumorConsumer
Head in the Cloud

VLAN hygeine

I was considering taking some advice I heard here and put my switches on their own VLAN, and some other advice.

 

@PhilipDAth you commented on this thread: https://community.meraki.com/t5/Security-SD-WAN/Best-practices-for-native-VLAN-configuration/td-p/48...

 

that the OP shouldn't really worry about all this. But say you are like me and have a relatively low risk network (rural area, guest network, nobody unknown allowed onto bridge SSID, etc) how would you arrange the VLANs? 

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
5 REPLIES 5
Aaron_Wilson
A model citizen

The nice thing about a mgmt vlan in large networks is you can reduce the number of vlans you trunk. For example, if you had a large deployment with dozens of data, voice and wireless vlans, you may not want to trunk every vlan every where.

Instead, you trunk just the required vlans to the physical switches, then add a single mgmt vlan. This accomplishes two thing.

1) you can easily move a switch at any time and have mgmt access to it since the mgmt vlan is trunked everywhere

2) you can spin up/down the user vlans separate from the mgmt vlan. Handy if you need to do work on the vlan and don't want to kill the vlan the Meraki is on.

Yes, this is maybe the old way to do it and not required for the Meraki deployments, but it's still good practice and something to consider.

PhilipDAth
Kind of a big deal
Kind of a big deal

If you are not doing things like 802.1x I wouldn't bother with a management VLAN.  I prefer simplicity over complexity.

@PhilipDAth ditto. So leaving the VLAN situation more or less alone then? I dont use 802.1x. I just dont want to leave myself unnecessarily open to attack of some kind. It wouldn't come from within and all my switches (2 Mikrotik and 2 Netgear) are password protected. Just thinking if those switches should be on another VLAN or something. Precautionary only. 

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.

I wouldn't personally move them.  Ultimately it is your choice.

I’m going w your advice. I’d prefer to keep my switches on the native default VLAN so I’m gonna do that. Thanks for the info and guidance as always, @PhilipDAth 

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels