Removing Vlan 1

Solved
ToryDav
Building a reputation

Removing Vlan 1

Hello,

In my organization we use a best practice not to use vlan 1, but to create a suspended layer 2 vlan 999 and set it native on all trunks.

What is the best way to achieve this on a Meraki Switch?

1 Accepted Solution
Roger_Beurskens
Building a reputation

just like you said, set your trunk with native vlan 999 and allowed vlans, the vlan you need over the trunk.
nothing different than on a catalyst.

as example on my lab setup ( here i'm using the vlan 32 as native wich is my management vlan for meraki, this makes it easier and quicker to add devices ( yes i know, it's not secure to have your management network as native on uplinks with dhcp enabled 😉 ) but you get the idea

 

meraki_uplink.JPG

View solution in original post

6 Replies 6
BlakeRichardson
Kind of a big deal
Kind of a big deal

@ToryDav Do you run everything on this single VLAN 999? If so set every port for access VLAN 999 rather than trunk. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Roger_Beurskens
Building a reputation

just like you said, set your trunk with native vlan 999 and allowed vlans, the vlan you need over the trunk.
nothing different than on a catalyst.

as example on my lab setup ( here i'm using the vlan 32 as native wich is my management vlan for meraki, this makes it easier and quicker to add devices ( yes i know, it's not secure to have your management network as native on uplinks with dhcp enabled 😉 ) but you get the idea

 

meraki_uplink.JPG

GIdenJoe
Kind of a big deal
Kind of a big deal

Yes it is a bit of a pickle.
On one hand you want to use an unused VLAN as native to prevent VLAN hopping but that VLAN does not allow for a new MS switch or a factory defaulted one to come online without manual intervention.

I'm not sure if Meraki does this but does the switch when trying to find it's initial connection to the could use something else than only native traffic.  Like does it try natively and then VLAN 1 tagged or not.

 

If it would you could set VLAN 1 up as a severely limited staging VLAN that runs tagged on the trunks down from the distribution/core switches.  By then setting the management VLAN to the definitive VLAN for management in the switch settings page, your switch would automatically switchover.  But I think this is wishful thinking.

chuyendang
Getting noticed

Hi,

 

For your trunk ports, I just leave the Native VLAN blank. 

2019-11-10 10_10_28-Switches - Meraki Dashboard.png

 

Is this OK or should I set a native VLAN?

GIdenJoe
Kind of a big deal
Kind of a big deal

Then traffic should all be tagged.

It would be a great idea if that is indeed the case to capture that traffic using another vendors switch like a catalyst where you can use encapsulation replicate to see if the traffic is indeed tagged or not.  On windows pc's you do need to modify a registry key though.

ToryDav
Building a reputation

Thanks everyone.. I tore my network down to a single vlan (1), and then established a single vlan flat network. Once everything came online successfully, I changed vlan 1 on the MX to vlan 10, changing the trunk to my MS to native vlan 10, and native vlan 10 on the trunk going to my MR. All lan ip's set to DHCP and left the vlan box empty. Went in the MS settings and overrode the management vlan to 10. I gave it 10 minutes and came back and was successfully migrated off of vlan 1 completely. I then build out vlans for Data, IOT and Wireless clients, pulling all my devices off of the Management vlan. I then used wireless vlan tagging allowing IOT and Wireless, and forced all my devices onto the appropriate vlans by using group policy's. The home SSID is bridge mode with vlan tagging. 

Finally got this right. 

Cheers!


@GIdenJoe @chuyendang @Roger_Beurskens @BlakeRichardson 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels