Best practice question about using consistent VLAN numbers

SOLVED
fdelapo-nh
Comes here often

Best practice question about using consistent VLAN numbers

We are moving to Meraki switches and wireless this year and we are starting to plan ahead for the change. We are a school district with multiple schools connected to our district office through MPLS connections. We currently use the same consistent VLAN numbering for all our sites. As we look at the centralized and consolidated dashboard Meraki provides, I am wondering if we can still do that - or if we need to setup individual VLAN numbering for each site? My question is really looking more for best practice recommendations, not workarounds. 

 

For example, all our sites use VLAN 820 for staff wifi and VLAN 699 for guest wifi. At each site, these VLANs are set at the site's core switch and provide that site's device DHCP, IP range, gateway, and DNS info (which of course is different for each site). I suspect this can be set the same way in Meraki - but the "new" (to us) concept is that all these settings are set and managed from the Meraki dashboard. With the Meraki system, will using the same VLAN numbers across sites cause trouble for us?

 

Thanks, Frank

1 ACCEPTED SOLUTION
ww
Kind of a big deal
Kind of a big deal

for example, you can make 1 organization with every school as a separate "network". You can use the same vlan numbers for every school, no problem.

View solution in original post

9 REPLIES 9
ww
Kind of a big deal
Kind of a big deal

for example, you can make 1 organization with every school as a separate "network". You can use the same vlan numbers for every school, no problem.

fdelapo-nh
Comes here often

Excellent! Thank you ww!
PhilipDAth
Kind of a big deal
Kind of a big deal

Good news - you wont have any problems.

 

You can use the same VLAN numbering system as you do now.

 

 

One "gotcha" I will bring to you attention is that you use Meraki group policies (such as for content filtering by the type of user connectvting) effectively the clients need to be adjacent to the security appliances - which means the layer 3 gateways need to be on the MX units.

Things will still work fine using layer 3 switches, but you just loose some of the extra cool controls that are available.

Thank you Philip! Do Meraki group policies only work with the MX (firewall?) functionality? (Sorry if this is a noob question). I know we did not purchase the firewall feature set because we have a hardware firewall. Or is this part of Meraki console even without the firewall?
MRCUR
Kind of a big deal

Group policies work with MR and MX products. They're set at the network level (Network wide -> Group policies). You won't have any issues using them with just an MR network. 

MRCUR | CMNO #12
fdelapo-nh
Comes here often

Ok, good! Thank you for clarifying MRCUR! 🙂
MRCUR
Kind of a big deal

As @ww & @PhilipDAth mentioned, this will absolutely work. Since you are deploying MR wireless, I highly recommend using a network template and binding it to all of the MR networks (create one network per physical location!). I typically use Meraki group policies to assign the VLAN based on the user's AD group which impacts the RADIUS "filter ID" (this is what the Meraki group policies use). I use the same set of VLAN's at each building without any problem. 

MRCUR | CMNO #12
fdelapo-nh
Comes here often

Very cool, thank you MRCUR! This sounds incredibly flexible. Thanks!
Asavoy
Building a reputation

Just wanted to add my 2 cents in since I run the network for a school district currently.

 

If you don't need devices on the public Wi-fi to access any file servers or printers, then you can simplify and get rid of VLAN 699.  The MR access points allow you to differentiate Client IP assignment by SSID.  My public SSID uses Meraki DHCP and my private SSID uses Local LAN DHCP.  It's allowed me to simplify the VLANs while maintaining security, and that's always a great goal to have- simple and secure.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels