Meraki

Community

Native VLAN - what settings should I be using?

IJ
Here to help
‎Nov 9 2023 7:19 AM
‎Nov 9 2023 7:19 AM

Native VLAN - what settings should I be using?

Hi, I am part of a small team that look after the technical support for a number of schools.  A local initiative has brought in money to replace the switches and wireless access points in a number of them (most of them currently running a mismatch of legacy equipment toggled together).  Two of the schools have already had their new installs - all Meraki MS switches and MR access points.
 
Our schools run two separate networks internally that don't see each other, which I'll call office and classroom.  On the older equipment we would VLAN them as 50 for the office network and 60 for the classroom (as per local council requirements).  Each network is fed a separate link to the outside world (50 is behind a authenticated proxy, 60 is filtered but straight out)  The new equipment is primarily to upgrade the classroom network, but if there are spare ports, we are hoping to use them to run the office network as well.
 
At the first school, the installers (as it's a contract we are not allowed to do it) left everything almost on default.   All ports were still set as trunk, and all were in still members of VLAN 1.  It works, but obviously I needed to get the correct VLANs set up.  The second school, we asked to have VLAN 60 set as the management VLAN from the off, so they put everything in VLAN 60, including making VLAN 60 the native VLAN.
 
In both schools, I've moved the internet link for the classroom network to a port I've configured in VLAN 60, changed the switch's VLAN to 60, and also changed the overall management VLAN to 60 (in switch settings  - VLAN configuration).  I then changed any edge ports to access ports in VLAN 60 (I've left the ports that the MR access ports use as trunk on VLAN 60, as I understand that allows us to add another SSID on another VLAN further down the line - but that's for another day).   I have also assigned a few spare ports to VLAN 50 for use by the office network when I feel confident in moving them across.
 
My sticking point is the trunk ports linking switches together.  Trying to follow tips on these forums about native VLAN best practices, in school A I have made the native VLAN on these to VLAN 777, which on purpose doesn't exist.  I put VLANs 50 and 60 as the only allowed VLANs across the links.   In school B, I removed the native VLAN altogether on the links, and again the only allowed VLANs across are 50 and 60.  Both seem to work - I can still manage the far switches on the ends of the trunks, and machines connected to them receive their data.  However, on this Meraki document I see the statement:
 
Note: Meraki management traffic destined for the Cloud is forwarded onto the wired network untagged. On an 802.1Q trunk, untagged traffic is placed on the native VLAN. The native VLAN should be the same for all interconnected switches and routers on the LAN and have a routing interface with a path to the Internet. 
 
Does that mean I should be using my internet facing VLAN of 50 as the native VLAN for all the trunk links?
 
I'm totally stuck as to which of these methods I should be using - could somebody shed some light?  Many thanks.
 
Labels:
0 Kudos
9 Replies 9
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 9 2023 7:48 AM
‎Nov 9 2023 7:48 AM

The most common is for you to have a dedicated VLAN to manage, setting it as a native VLAN.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
IJ
Here to help
‎Nov 9 2023 7:59 AM
‎Nov 9 2023 7:59 AM

Many thanks for replying, the classroom network has internet access via VLAN 60, and so that is what I put in the switches as the management VLAN.  If I'm reading your response correctly, we'd need another separate VLAN hence another route out to the internet and use that for management?  I don't know how I'd get the local authority to provide us with another separate internet link just for that - probably a stupid question but is this what most setups have?  A separate internet connection just for management?  Thanks.

0 Kudos
In response to IJ
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 9 2023 8:14 AM
‎Nov 9 2023 8:14 AM

You don't need a separate Internet for management. For good practice, the ideal is to have a distinct VLAN for Management to isolate traffic, but a dedicated internet link is not necessary for this.
 
As for whether most configurations are like this, I can say that it is relative, it depends on the size of the customer's network and the maturity of the network.
 
In projects where the client understands this, it is easier to implement, while in others they generally prefer to make the network as simple as possible.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
IJ
Here to help
‎Nov 9 2023 8:29 AM
‎Nov 9 2023 8:29 AM

Thanks again Alemabrahao, I'm showing my inexperience at this by asking, could you point me in the direction of how would I go about making this distinct VLAN for management, yet make it somehow get internet access (for the cloud management) from my only internet source, which is already in use by people whose machines are on VLAN 60?   I do appreciate your time.

0 Kudos
In response to IJ
Ryan_Miles
Meraki Employee
Meraki Employee
‎Nov 9 2023 8:56 AM
‎Nov 9 2023 8:56 AM

Think of the Switch mgmt IPs just like any client. They just need to be on a VLAN that can NAT out through your firewall to reach the internet/dashboard. Typical best practice is to use dedicated mgmt VLANs/subnets for infrastructure devices like Switches, AP, Cameras, etc. But they literally can be on any VLAN/subnet on your LAN as long as they can reach the internet.

 

For example in my network I use a unique VLAN for Switches, APs, Cameras. The mgmt VLAN for Switches is the native VLAN on my trunk ports. This allows the switch to grab a DHCP IP from the switch mgmt VLAN and this VLAN has proper firewall rules in place for it to talk to dashboard.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Ryan_Miles
IJ
Here to help
‎Nov 9 2023 9:32 AM
‎Nov 9 2023 9:32 AM

Hi Ryan,

 

I don't have much if any contact with the company who provide the internet links, I believe they would charge for any changes to the firewall like that, so I'm guessing that is not an option I can go for at the moment.  If that is the case, am I right in presuming I would have to use my only internet facing VLAN, 60 as the management VLAN, even though it is used by users too?  In this case, would you still recommend I also use this VLAN as the native VLAN - would this have any impact on the setup?  Sorry for all the questions.

0 Kudos
In response to IJ
IJ
Here to help
‎Nov 11 2023 2:42 PM
‎Nov 11 2023 2:42 PM

So, to clarify, would you recommend (presuming I can't get a new VLAN set up for management) that, in addition to having my management VLAN as 60 (my internet facing VLAN), would I also make the native VLAN on any trunks 60 also?  Thanks.

0 Kudos
kYutobi
Kind of a big deal
‎Nov 9 2023 7:54 AM
‎Nov 9 2023 7:54 AM

Like @alemabrahao mentioned. As you wanted to be safe and stray away from default VLAN1. You're basically telling config set default VLAN to (blank) "untagged traffic is placed on the native VLAN".

Enthusiast
In response to kYutobi
IJ
Here to help
‎Nov 9 2023 8:30 AM
‎Nov 9 2023 8:30 AM

Thanks kYutobi, so the notion of using (nothing) as the native VLAN is a bad idea?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.