Educate me on Meraki Management VLANs please. This is confusing.

misterguitar
Getting noticed

Educate me on Meraki Management VLANs please. This is confusing.

Ok. confession. I am CCNP level professional in regards Cisco Catalyst switches. And my experiences with Meraki so far have left me a bit frustrated in that it seems like it takes me even longer to do things than with IOS CLI. But my clients all seem to be moving in this direction so I'm stuck with it. I'm trying to have a good attitude about this. I really am lol

 

How does this management VLAN thing work? on a Catalyst switch, any SVI or routing port can be used as a management interface. Unless one is specifically specified.

 

My confusion is this. On a Meraki MS-390 I have tried making the management interface a specific VLAN and to pull the IP using DHCP. (VLAN 2009).

 

I already dealt with the insane 1-1000 VLAN thing.

 

The uplink is going to a trunk on a catalyst switch. Configuration on both sides is

 

802.1Q trunk

Allowed vlans are 1,105,2000-2099

Native VLAN is 1

 

if I configure the switch to have a management vlan of 2009 DHCP it fails and the switch reverts to getting DHCP ID from VLAN 1.

 

Does Meraki require the management VLAN to be untagged? The documentation doesn't seem to indicate this.

15 Replies 15
MarcP
Kind of a big deal

Yes, your switches management vlan needs to be the native vlan:

 

Example, vlan 31:

 

MarcP_2-1618324593706.png

 

Like for AccessPoints within the cisco classic world. As far as I remember you needed to configure the APs management vlan as the native vlan +  the allowed vlans

 

 

DarrenOC
Kind of a big deal
Kind of a big deal

Hang in there @misterguitar . We’re a company of hardcore CLI junkies and yes it’s frustrating at times as you can’t get under the hood. But believe in the Meraki magic.  One thing you’ll need to learn is patience.  

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
ww
Kind of a big deal
Kind of a big deal

Does the dhcp server not receive a discover?

If you change it to vlan 2009 does it send dhcp discovers on the uplink of the switch with that vlan tag 2009?(if you look at a packet capture)

Assigning a static ip in vlan 2009 also does not work?

misterguitar
Getting noticed

I am doing some more investigation based on messages now. Will post soon once I have better information. I did get this from Meraki support....

 

Thank you for contacting Cisco Meraki Technical Support. My name is xxxxx and I am happy to help. Looking at your Switch > Configure > Settings page, I am seeing that the management VLAN is configured to be VLAN 1, not VLAN 2009. If the MS is configured to retrieve IP information from DHCP, it would pull DHCP from the Native VLAN, in this case VLAN 1, not VLAN 2009. If you change the management VLAN and the switch can no longer obtain a DHCP lease or reach Meraki Dashboard, the switch will revert to its previous management VLAN configuration.

So the management VLAN HAS to be an untagged vlan on the uplink?

 

There are two places to set this it would seem in the dashboard. In the Lan IP section of the switch, and under "configure: Switch settings."

 

Are these both the same setting?

MarcP
Kind of a big deal

As mentioned in my previous post, get to your switches and select it. Then you see the settings on the left site.

Or there is the possibility to do it on the local status page. Which does not much sense 😉

 

And as also mentioned before: trust it and more important, patience... Which got me some grey hairs.

BrandonS
Kind of a big deal

>One thing you’ll need to learn is patience.  

 

+100 to that.  Even after working with Meraki for years now I still go nuts waiting for devices to come online the first time.  Especially when working with a tech on site remotely and trying to move quickly

.  

"OK, what do the lights look like now?", "Check the local status page again", "I think I saw something check in to the dashboard, but now it is gone again", "Maybe start looking for another patch cable", "Let's reboot the upstream devices"

 

Then 20 minutes later it is all up and working as expected.. 

 

 

- Ex community all-star (⌐⊙_⊙)
DarrenOC
Kind of a big deal
Kind of a big deal

😂 I’m glad others feel my pain.

 

Watching those flashing rainbow 🌈 lights waiting for the solid white is heart-stopping.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
GIdenJoe
Kind of a big deal
Kind of a big deal

Hey @misterguitar 

Contrary to what other people have said here.
The switches management VLAN does NOT have to be the native VLAN!!

 

You only need to be aware that if you use a different VLAN for the native VLAN between switches, like an unused VLAN like Cisco best practices have always described you could have an issue getting your switch online the first time if you haven't staged the switch first with the correct native VLAN.

 

Having said that, the MS390 does have some bugs still and could have some trouble.

Normally you should look at two area's.
First is the IP of the switch itself.  If you are using a different managemet VLAN from the configured management vlan (under switch -> switch settings which defaults to 1) you have to put the actual VLAN number in the IP config, even if you are using DHCP.
Second the trunk config on the uplink must of course match on both ends so you don't have any VLAN hopping.
Do mind that if you're not staging a switch then it defaults to native VLAN 1.

 

Usually I first configure the switch default management VLAN on the switch > switch settings page.  And then I still config it for each switch too.

Bruce
Kind of a big deal

Just going to throw my two cents worth in here too.

 

First, the best way I find to think of the Meraki Management interface is a virtual interface. The virtual Management port is an access port that then connects via a virtual cable to a virtual port on the switch (which is an access port), and whatever you specify as the management VLAN is the VLAN assigned to that virtual access port on the switch, not how the virtual management interface is configured. (Now I re-read that I'm not sure if it will help or not...)

 

Second, as @GIdenJoe states the management VLAN doesn't have to be the native VLAN. But, it makes it significantly easier if the management VLAN matches the native VLAN on the uplink. Since the virtual port behaves as an access port the traffic is never tagged. Its only when management VLAN traffic exits the switch on a trunk that it is tagged, if that VLAN isn't the native VLAN. As everyone has said, using the native VLAN is easier as when a switch with no configuration first comes up it, well, has no configuration, so the traffic from the management port will always access the switch untagged. Likewise, if you move the switch to another network if the management VLAN corresponds with the native on the uplink then it will more likely get a DHCP address (and thus retrieve its new configuration), even if the upstream port is configured as an access port, or is blocking certain VLANs.

 

Third, and completely unrelated to the management port. Remember that the MS390 runs a single instance MST, whereas a Catalyst switch will likely be running PVST+. This is just something to be aware of, and keep in mind if you appear to have STP issues.

Aaron_Wilson
A model citizen

I echo pretty much what everyone has said. And like recently said, make sure you have the right VLAN set on the Meraki switch config even if DHCP.

 

And welcome to the Meraki world. Just wait until you plug in an AP with no network access, it discovers a near by open SSID, joins it, and access the internet this way! It's pretty freaky.....

misterguitar
Getting noticed

Ok. So I did some experimenting yesterday. This is what I found which I thought was odd.

 

I set the management IP in the IP settings for the switch. I configured it to DHCP and set management vlan to 2009. Saved config and waited.

 

I got the error alert that the switch was DHCPing an address instead off VLAN1.

 

I then went into the Switch/configure:settings and set the management VLAN to 2009. I thought it was odd the setting was not changed here in the UI as I had changed it under IP. Save, and wait and like magic everything works correctly.

 

It appears to me that you have to set the management VLAN the same in 2 different places in the UI in order for it to work. To me this is confusing as heck and it does not say this anywhere in the documentation. I would consider this a aflaw or bug.

 

Is there some reason for this? Anybody from Merkai care to comment on why this is? Or should I file a bug report?

MarcP
Kind of a big deal

Sorry, I don´t get what you mean by writing the two places where you configure vlan 2009... 

 

can you provide another explanation? Or pics?

Maybe my english is just too bad, sry.

I would like to understand all of this thread and maybe help...

misterguitar
Getting noticed

Capture.PNGCapture 1_LI.jpg

MarcP
Kind of a big deal

Ok, I have never ever changed the management vlan unter "settings - switch settings" O_o

 

Only like in my first post, Lan IP and uplink port config.

 

 

GIdenJoe
Kind of a big deal
Kind of a big deal

@misterguitar,

 

The VLAN setting in the switch -> switch settings screen is the default for all switches.

Then you can input it again per switch which gives the option to override it per switch if you wanted.

 

However if your upstream VLAN tagging in your uplink trunk you should not have gotten the warning when you only changed the VLAN setting on the switch itself.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels