Linking two MS switches across a network that can ONLY carry tagged VLAN traffic

Solved
edefosse
Conversationalist

Linking two MS switches across a network that can ONLY carry tagged VLAN traffic

Hello,

 

We just opened up a new satellite campus and contracted for dedicated/private fiber service between the new campus and the old main one.  The fiber service can ONLY carry tagged VLAN traffic.  

 

In the main campus we have the fiber service connected to an MS switch port set up as a Trunk.

In the satellite campus we have the fiber service connected to an MS switch port set up as Trunk as well.

When the satellite campus switch boots it can't establish a connection over the Native VLAN 1 and then proceeds to connect via VLAN 2 (which we also have set up at the main campus).  As a result, I get a warning in the Meraki console that the switch is not operating under the standard management VLAN which is the Native VLAN 1.

 

What is the best practice for setting things up given my constraint that I can only pass tagged traffic over the fiber connection?  Should I move all MS switches to another Management VLAN?

 

Related to this, we have MR wireless access points at the satellite campus that will also want to use Native VLAN 1 as their management VLAN.  Should those be set to a different VLAN for management as well?

 

Any advice would be helpful.

 

Thank you,

 

Erin

1 Accepted Solution
GIdenJoe
Kind of a big deal
Kind of a big deal

Why not change the native VLANs on your trunks?  Or even leave native blank, then all VLANs are tagged across.

I myself always use VLAN 99 as native VLAN between switches and use native VLAN (management between switches and AP's/MX'es.

View solution in original post

8 Replies 8
Asavoy
Building a reputation

Just speaking from a security standpoint, you should never use VLAN 1 as the native/management VLAN.

ww
Kind of a big deal
Kind of a big deal

Choose  another management vlan. You can set it at switch 》switch  settings.

Set the management vlan also as native  vlan  on the port  connecting to MR. Then you dont need  to set the vlan at  the MR management ip setting.

edefosse
Conversationalist

Thanks, super helpful!  Would the port connected to the MR be set as a Trunk port (with native lan being the management LAN)?

 

Also, I have an SSID that currently is not associated with a VLAN other than the Native VLAN 1.  Would you recommend that I change that an ensure that all SSIDs are associated with a specific, non-Native VLAN 1, VLAN ID?

 

Thanks!

Asavoy
Building a reputation

@edefosse - I wouldn't think that you needed to trunk the port connected to the WAP. It can remain an access port with only the single VLAN tagged. The MR shouldn't need a VLAN set on it, as it should use whatever is set on the port it's connected to. In fact, you may run into more problems by trying to set the VLAN on the WAP interface. However, if you're using VLAN tagging on the SSIDs, then yes you should trunk the port.

 

If you have any managed switches downstream of the MS, just make sure you change their native VLAN first, otherwise you'll probably have to physically connect to them to make the change. I like simplicity in my network design so I have zero trunk ports downstream of my MS edge switches. I do only have one SSID in bridge mode and a public one using Meraki DHCP.

 

A good practice to use on the MS, depending on available ports, is to make the VLAN changes to a different port than your current uplink. Then move the uplink to that port. That way, if something doesn't work properly, you can switch back and make further changes as needed. The local interface page for the MS is.... severely lacking, to put it kindly.

edefosse
Conversationalist

I see.  Here is my specific situation

 

MR unit broadcasts two SSIDs:

SSID A is not associated with a VLAN

SSID B is associated with VLAN 2

 

Should I set the port on the MS to Trunk with Native Vlan = the Management VLAN and allow all other VLANs or should I set it to Access port for the Management VLAN? 

 

Thanks again!

GIdenJoe
Kind of a big deal
Kind of a big deal

Why not change the native VLANs on your trunks?  Or even leave native blank, then all VLANs are tagged across.

I myself always use VLAN 99 as native VLAN between switches and use native VLAN (management between switches and AP's/MX'es.

PhilipDAth
Kind of a big deal
Kind of a big deal

A super easy way to handle this is configure an invalid unused VLAN as the native VLAN on the port on each MS on each end of the link.  Change nothing else.

 

Because that VLAN is not used in the network, it will cause every frame to be tagged.

edefosse
Conversationalist

Didn't realize that the Native VLAN field could be left blank.  I did this and now everything seems to be working.  Thanks!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels