COnfiguration question with MX MS and MR

SOLVED
js7
Here to help

COnfiguration question with MX MS and MR

Take a look at screenshot. I want to setup my MX to handle all the DHCP services. I am trying to figure out how to create the SSIDs on the MR to correspond to the VLAN created on the MX. 

 

 

1 ACCEPTED SOLUTION
Ryan_Miles
Meraki Employee
Meraki Employee

That is tunneling the SSID to your MX. That is typically used for remote teleworker deployments where the AP is remote and tunnels over the internet back to the MX. I wouldn't use that mode in your topology.

View solution in original post

13 REPLIES 13
Ryan_Miles
Meraki Employee
Meraki Employee

Make the port on the MX a trunk. Make the ports of the switch connected to the MX and the MRs trunks. Last, on the SSIDs use bridge mode and specify the tagged VLAN. That'll do it.

 

Here's an example of my SSID putting clients on VLAN 80.Screen Shot 2021-11-27 at 8.32.28 PM.png

js7
Here to help

I actually got it to work a different way before I saw your post. I want to decrease the size of my broadcast domain, and increase security. So if I choose the L3 roaming with a concentrator. Doesn't that do what I need it to do?

 

 

Ryan_Miles
Meraki Employee
Meraki Employee

That is tunneling the SSID to your MX. That is typically used for remote teleworker deployments where the AP is remote and tunnels over the internet back to the MX. I wouldn't use that mode in your topology.

js7
Here to help

Also, take a look at this screenshot of my MX. It says Native VLAN is 120, why can't it be 160?

 

 

ww
Kind of a big deal
Kind of a big deal

You can edit that port and choose  the native vlan. Also change it on the switch side to the same vlan

js7
Here to help

Another ? is that I can't seem to ping any of my MX ip's from the 140 vlan wirelessly... Perhaps something needs to be configured on the switch?

js7
Here to help

I was able to update my native vlan to the choice of my choosing being 160. I was able to change the SSID traffic to go via bridge using a vlan ID, instead of the L3 roaming option.

 

However, I still can't ping any of the gateway's of the vlans. Thoughts?

Ryan_Miles
Meraki Employee
Meraki Employee

On page Wireless > Firewall & traffic shaping is the first rule showing as Deny or Allow? It needs to be Allow if this is an internal/employee SSID.

js7
Here to help

Thanks first rule shows Deny, but how do I specify which wireless clients can access the LAN, and what exactly is the LAN? so I know which network?

 

 

Ryan_Miles
Meraki Employee
Meraki Employee

Local LAN is a default object for subnets 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. So you want this set to Allow so clients can access internal resources. If you want to lock things down you can add more explicit rules or do it at the MX.

js7
Here to help

Thanks, I want to lock it down more, really what I am trying to do is lock down the network subnet by vlan. 

 

SO is it best to do it at the MX? For example. I don't want these three subnets to be able to access the LAN.

 

 

js7
Here to help

I wonder why I can't ping the NVR at 10.10.120.4 or a camera at 10.10.130.3 on the 10.10.140.0 subnet??? 

js7
Here to help

My problem is 10.10.120.4 is showing VLAN 160 in the arp table, and it should be 120.

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels