Meraki

Community

Connection FW - SW - AP Meraki - Trunk o Access?

Carlos1
Comes here often
Wednesday
Wednesday

Connection FW - SW - AP Meraki - Trunk o Access?

Hi Team
I'm reaching out to your expertise again. I have an unusual case, and I'm not sure if I'm doing something wrong or if I'm missing something.

 

My topology is simple: ISP <--MX <--MS <--MR
2 MX-67 devices
1 MS120-8P switch
2 MR36 access points (1 per mesh)

 

The connection on the MS120 is a breakout connection to the two MX devices.

I have one separate VLAN for internet traffic (VLAN 100) (no DHCP)
I have one management VLAN (VLAN 50) (no DHCP)
I have one VLAN for the SSID (VLAN 40) (with DHCP) on the firewall.

 

The problem is that when I put the access point in the trunk on native VLAN 50 (because it's the management network) and assign it a static IP address, it switches to DHCP mode on VLAN 40 and gets an IP address from that segment. The strange thing is that if I leave it on native VLAN 1, it doesn't get an IP address. It works, as shown in the image.

 

Carlos1_0-1766012194936.png

 

This is what I have applied in the firmware on that port.

 

Carlos1_1-1766012405519.png

 

This is the configuration I changed in the switch management; it was set to VLAN 1, and I changed it to VLAN 50.

 

Carlos1_2-1766012565407.png

 

This is configuration with SSID

 

Carlos1_3-1766012662946.png

 

I would appreciate it if you could let me know if I'm doing something wrong in the configuration.

 

 

 

Labels:
0 Kudos
7 Replies 7
Mloraditch
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

The management VLAN setting under switches is for Switches Only. APs management VLAN is specified either by the native vlan on the trunk OR by setting it in the IP Settings of the AP (works both static and DHCP).

 

Mloraditch_0-1766013522541.png

 

 

If the native vlan you provide the AP doesn't have DHCP it will try to source an IP from any other VLAN it can see. If you set a static IP in another VLAN once it gets online once it will get it's config and switch to the static IP.

While I generally recommend APs have DHCP for management if you must use static IPs, I'd setup a small pool on the VLAN to allow new devices to get online and then get their static configuration. Failing that you can put them on a native VLAN that provides DHCP and then allow them to switch their management to your VLAN 50 once they download the config.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Mloraditch
Carlos1
Comes here often
Wednesday
Wednesday

Hi @Mloraditch 

I understand the VLAN management for the switches.

Regarding the access points, they do have static IPs (screenshot attached), but the switch port is on native VLAN 1. Shouldn't it be native VLAN 50? My network is on VLAN 50 (192.168.50.x).

Is that a correct configuration?

 

Carlos1_0-1766014218429.png

 

0 Kudos
In response to Carlos1
Mloraditch
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

What you have will work. You can either have them native on any vlan but 50 with 50 specified in the ip settings like you have or you can make 50 the native  vlan and then you leave the vlan field blank in the ip settings

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Mloraditch
Carlos1
Comes here often
yesterday
yesterday

So that's expected behavior; when I configured Catalyst switches it was different, that's why I was confused.

0 Kudos
In response to Carlos1
IvanJukic
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
Wednesday
Wednesday

Hi @Carlos1 ,

As you haved Tagged the SSID with VLAN 40. You'll need to set the Switch port (connectd to the AP) as Trunk. As more than one VLAN is expected to Ingress and Egress. Also as you have Tagged the AP with VLAN 50. The Switch port cannot be Native VLAN 50. Because it is expecting a Layer 2 frame with no VLAN_ID. As such, the switch will then assign a VLAN_ID of 50 to that frame. 


Cheers,

Ivan Jukić,
Meraki APJC

If you found this post helpful, please give it kudos. If it solved your problem, click "accept as solution" so that others can benefit from it.
In response to IvanJukic
Carlos1
Comes here often
yesterday
yesterday

So this is normal behavior as configured on the switch? 

 

I mention this because on Catalyst 9200 switches I've configured a port where a Meraki AP connects like this:

 

interface g1/0/20
Switch port mode trunk
Switch port trunk native vlan DD
Switch port trunk allowed vlan 10, 20, 30, 40 (WiFi network VLANs)

 

Where vlan DD is the management VLAN for the devices.

I was thinking of replicating this on a Meraki switch, considering the native VLAN as the management VLAN, but I think a Catalyst switch doesn't work the same way as a Meraki.

 

So, to conclude the discussion, I should configure the Meraki switch port in:

Trunk Mode
Native vlan 1
Allowed vlan XX, YY, ZZ

 

Correct?

 

Carlos1_0-1766069570282.png

 

0 Kudos
In response to Carlos1
IvanJukic
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
yesterday
yesterday

Yes. It normal, expected behavior on any switch.  Native VLAN mismatches will cause problems with DHCP and general communications. See below best practice guide.

 

https://documentation.meraki.com/Platform_Management/Dashboard_Administration/Design_and_Configure/C...

 

 


Cheers,

Ivan Jukić,
Meraki APJC

If you found this post helpful, please give it kudos. If it solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.