Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Meraki switches and VLANs

Solved
Jimbo1
Here to help
‎Aug 17 2021 1:13 PM
‎Aug 17 2021 1:13 PM

Meraki switches and VLANs

 

I have to re-engineer a Meraki network that is running as a flat VLAN on VLAN 1. I want to introduce a number of VLANs so that I can allocate different users/devices to different VLANs to allow me to better secure the devices environment. Straight-forward so far. Now here's the catch: the available IP address space is very restricted, and my customer's ISP has said he can only give us a bunch of discontiguous /24 ranges.

 

If this was a standard Cisco switch, I would configure VLANs with SVIs that had secondary addresses....messy, but at least no server renumbering required, and I could use additional discontiguous subnets.

 

The Meraki switches (210/225s) don't allow the use of secondary addressing (do they?) so I can't use that solution even if I wanted to :). I could, of course, use several different VLANs each with its own subnet, which would work, but would be excessively messy and unmanageable.

 

I also have to consider that Meraki wireless APs are running on the LAN, so if I had a VLAN for upstairs and a VLAN for downstarirs, I would have to advertise different SSIDs connecting to different VLANs, thus destroying mobility

 

Has anyone successfully dealt with this kind of situation before? Or is it just me being blind to the obvious solution (that's quite likely!)

 

Thanks

JB

0 Kudos
Subscribe
1 Accepted Solution
In response to Jimbo1
cmr
Kind of a big deal
Kind of a big deal
‎Aug 18 2021 12:21 AM
‎Aug 18 2021 12:21 AM

@Jimbo1 unless you need direct access to the other academic sites, if you want more flexibility, use the 172 network internally and NAT it to the 10.0.0.0/21 network provided by them.

 

Otherwise you'll need to use their /21 provided, but could easily break it up into 6x /25 networks/VLANs if wished.

 

It really depends on how big a site you have, we provide a /16 (actually a /19 due to Meraki DHCP server restrictions) in the 172 range to our public users at each site...  

View solution in original post

0 Kudos
Subscribe
5 Replies 5
cmr
Kind of a big deal
Kind of a big deal
‎Aug 17 2021 2:25 PM
‎Aug 17 2021 2:25 PM

@Jimbo1 why do you need any address space from the ISP?  Most LANs these days run on private addressing (10.n.n.n, 172.n.n.n. or 192.168.n.n) and simply translate it when talking to the outside world.

 

I've not seen a LAN using public IP addresses in over 20 years!

Subscribe
In response to cmr
Bruce
Kind of a big deal
‎Aug 17 2021 2:37 PM
‎Aug 17 2021 2:37 PM

@Jimbo1, as @cmr stated, use the private IP address space for your network and then NAT/PAT to a single public IP address to access the rest of the world. I’d expect you have a security device on the end of the ISP link and that will most likely do the NAT/PAT. If you don’t have a device that can do NAT/PAT then I’d get one (like a Meraki MX appliance).

Subscribe
Jimbo1
Here to help
‎Aug 17 2021 11:30 PM
‎Aug 17 2021 11:30 PM

Sorry, I should have mentioned, this is the situation: the network is in an academic environment, and the "ISP" is a "specialist" academic services provider. They have provided an Internet link with a public outside address, and a very restricted inside subnet in the 10.0.0.0/8 range (its actually only a /21). As far as the network manager can tell me, they have shared the whole of the 10 network out across this and other academic sites, so they are limiting what they can/will provide to keep control of the address space. I'm still digging into the way this provider works, and have been trying to speak to them direct (rather than through my customer's representative) so I can find out wht is actually possible, but getting them to discuss things may be "interesting".

0 Kudos
Subscribe
In response to Jimbo1
cmr
Kind of a big deal
Kind of a big deal
‎Aug 18 2021 12:21 AM
‎Aug 18 2021 12:21 AM

@Jimbo1 unless you need direct access to the other academic sites, if you want more flexibility, use the 172 network internally and NAT it to the 10.0.0.0/21 network provided by them.

 

Otherwise you'll need to use their /21 provided, but could easily break it up into 6x /25 networks/VLANs if wished.

 

It really depends on how big a site you have, we provide a /16 (actually a /19 due to Meraki DHCP server restrictions) in the 172 range to our public users at each site...  

0 Kudos
Subscribe
In response to cmr
Jimbo1
Here to help
‎Aug 18 2021 12:26 AM
‎Aug 18 2021 12:26 AM

I hear what you are saying, and it makes sense....except if I NAT between a 10 address and a 172 address, I'll end up double NAT-ing, which I would like to avoid. I'll advise further after I've spoken with the supplier, but imposing another router/NAT in the path may be the only wy forward if they are unwilling/unable to give addresses 😞

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.