cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Removing Vlan 1

SOLVED
Conversationalist

Removing Vlan 1

Hello,

In my organization we use a best practice not to use vlan 1, but to create a suspended layer 2 vlan 999 and set it native on all trunks.

What is the best way to achieve this on a Meraki Switch?

1 ACCEPTED SOLUTION

Accepted Solutions
Getting noticed

Re: Removing Vlan 1

just like you said, set your trunk with native vlan 999 and allowed vlans, the vlan you need over the trunk.
nothing different than on a catalyst.

as example on my lab setup ( here i'm using the vlan 32 as native wich is my management vlan for meraki, this makes it easier and quicker to add devices ( yes i know, it's not secure to have your management network as native on uplinks with dhcp enabled 😉 ) but you get the idea

 

meraki_uplink.JPG

6 REPLIES 6
Kind of a big deal

Re: Removing Vlan 1

@ToryDav Do you run everything on this single VLAN 999? If so set every port for access VLAN 999 rather than trunk. 

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Getting noticed

Re: Removing Vlan 1

just like you said, set your trunk with native vlan 999 and allowed vlans, the vlan you need over the trunk.
nothing different than on a catalyst.

as example on my lab setup ( here i'm using the vlan 32 as native wich is my management vlan for meraki, this makes it easier and quicker to add devices ( yes i know, it's not secure to have your management network as native on uplinks with dhcp enabled 😉 ) but you get the idea

 

meraki_uplink.JPG

Building a reputation

Re: Removing Vlan 1

Yes it is a bit of a pickle.
On one hand you want to use an unused VLAN as native to prevent VLAN hopping but that VLAN does not allow for a new MS switch or a factory defaulted one to come online without manual intervention.

I'm not sure if Meraki does this but does the switch when trying to find it's initial connection to the could use something else than only native traffic.  Like does it try natively and then VLAN 1 tagged or not.

 

If it would you could set VLAN 1 up as a severely limited staging VLAN that runs tagged on the trunks down from the distribution/core switches.  By then setting the management VLAN to the definitive VLAN for management in the switch settings page, your switch would automatically switchover.  But I think this is wishful thinking.

Getting noticed

Re: Removing Vlan 1

Hi,

 

For your trunk ports, I just leave the Native VLAN blank. 

2019-11-10 10_10_28-Switches - Meraki Dashboard.png

 

Is this OK or should I set a native VLAN?

Building a reputation

Re: Removing Vlan 1

Then traffic should all be tagged.

It would be a great idea if that is indeed the case to capture that traffic using another vendors switch like a catalyst where you can use encapsulation replicate to see if the traffic is indeed tagged or not.  On windows pc's you do need to modify a registry key though.

Conversationalist

Re: Removing Vlan 1

Thanks everyone.. I tore my network down to a single vlan (1), and then established a single vlan flat network. Once everything came online successfully, I changed vlan 1 on the MX to vlan 10, changing the trunk to my MS to native vlan 10, and native vlan 10 on the trunk going to my MR. All lan ip's set to DHCP and left the vlan box empty. Went in the MS settings and overrode the management vlan to 10. I gave it 10 minutes and came back and was successfully migrated off of vlan 1 completely. I then build out vlans for Data, IOT and Wireless clients, pulling all my devices off of the Management vlan. I then used wireless vlan tagging allowing IOT and Wireless, and forced all my devices onto the appropriate vlans by using group policy's. The home SSID is bridge mode with vlan tagging. 

Finally got this right. 

Cheers!


@GIdenJoe @chuyendang @Roger_Beurskens @BlakeRichardson 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.