I have installed some Sonos devices in my kitchen (big property with 20-30 people). They sound great, everything worked fine... except Sonos has no mechanism to limit access to the config app as long as somebody is logged into the same SSID. Lame. Ok, so I created a hidden SSID called sonosconfig, reset all the Sonos stuff to factory settings and re-configured the system. Works great...
Except its all still discoverable between the SSIDs.
I know the Sonos makes its own 2.4ghz network to pass data between units as well as being discoverable over the configured SSID but I have a feeling there is some issue where my two SSIDs are bleeding over into each other and Im not sure how to separate them. I currently have both set up in bridge mode. I tried the sonosconfig network in NAT mode but that broke everything. Could a VLAN be an elegant solution? Anybody willing to point me in the right direction?
I have no VLANs set up at present. I think that means i just have one? I don’t use the feature. Just residents ssid in bridge and guest in Meraki dhcp, And now this third one, bridged, for the Sonos stuff. I think I probably will need a VLAN in order for the two bridged networks to both coexist and be discreet from one another,
In reflection I think the original error in my thinking was that two SSIDs would give me two networks lol. Old consumer router thinking.
it looks like per SSID VLAN tagging could be my solution. Thoughts? Anything more elegant? Also simple 😜
Ok I did this to sonosconfig SSID:
And it seems to have done the trick of making nothing that seems to need TCP/IP work at all (I get on that SSID and cant get an IP, and cant see the Sonos gear through the account) but the speakers all work. This is likely because they work over Bonjour (multicast DNS) discovery which doesn't care about TCP/IP. This gets me halfway there but Id still like to be able to join that network and be able to adjust settings, check for firmware updates, etc. I tried reading about this but couldn't quite figure it out. How do I get TCP/IP traffic to this new VLAN? Do I need to do anything to my other SSIDs? Any pointers?
Our posts crossed in the air:
Have you created the vlan in your MX (or other router or Layer 3 switch) if not you will have to and then make sure each vlan has DHCP enabled.
I sounds like you have discovered you mistake, just because you have created 2 SSID's it does not mean the traffic will be either isolated or blocked from each one.
I have done this a few times know with SONOS's for the same reasons.
Just create 2 vLANs as an eg:
vLAN10 - Main Network (192.168.10.0/24)
vLAN20 - SONOS (192.168.20.0/24)
Then put your main essid in vLAN10 (wireless:access control:vLAN tagging)
Put your SONOS in vLAN20
And it should all work
Note - its good practice not to put all your network devices in vLAN1 other than for the management of core devices (eg MX/MS/MR) so remember to also move any fixed devices using the switch port settings to vLAN10 as well.
Hope this helps
Gary thank you and while I am literally the most tech savvy person I know in real life and I understand the concept of what you are telling me I dont know how to implement that. Would you be willing to do a screen capture walkthrough or something and post it here so I can see what you want me to do? Or a quick numbered list of steps?
My network is very simple. I have one MX65 as my appliance connected to a 250/250 fiber line for WAN and then a bunch of MRs. Im the only person who has access to wired ports. Thats it.
Sure, but not now as its 05:30 in the UK and I have a a little insomnia 🙂
What firewall / router are you using ?
Meraki MX65, and then a bunch of APs. MR52s, MR84s, etc.
First thing you need to do is on the MX go to Address and vLans
And tick the use vlan box, then add vlan - just follow your nose for this.
Make sure you click on save.
Once this is done, by default DHCP will also be enabled
Then in your Wireless settings for the SSID you have created under vlan tagging make sure you have the vlan you added here.
That should be it.
where in the world are you ?
In Northern California at a retreat center way out in the middle of nowhere.
thank you for this!
am I to understand that using VLANs does not necessitate using more than one? In other words I have the non-VLAN part of my network and then as you have described here I now have a cordened off part of my network that is let’s say VLAN 2. But I don’t by definition need another VLAN (1) to encapsulate the remainder of the network? Does that make sense what I’m asking?
Edit: i just looked at that image again and it does seem that we need 2 to tango period.
I’ll be out all day tomorrow and maybe the next day but will be back and will report. Thank you!
Once you enable vlans on the MX by default you will get vlan 1 which is the admin vlan and then you would create the rest.
So at the minimum you would create 2
vLAN 1 - all your network
vLAN 2 - SONOS
That would keep it simple
But I would consider separating your core traffic away from vlan1 as you have turned on vlans anyway, all you will need to do is understand the difference between trunk ports - ports who forward all vlans and access ports - ports who only forward traffic from one vlan.
So you would always make sure you uplink ports and AP ports are always set as trunk ports, where as a port that is just connected to a PC direct, would be set as an access port.
feel free to ping me when you are free either over the weekend or after the holidays.
"Note - its good practice not to put all your network devices in vLAN1 other than for the management of core devices (eg MX/MS/MR) so remember to also move any fixed devices using the switch port settings to vLAN10 as well."
So in other words, my 10GbE switches that provide fiber interconnects between a few parts of the property should go on VLAN10? I have a couple gigabit netgear switches. Those too? Is that what you're referring?
Is VLAN1 considered occupied by default? It sounds like
VLAN1 is where the MX and MR devices live. And dumb switches or no?
VLAN10 is where all my regular client traffic lives.
VLAN20 is where Sonos lives.
And so on and so forth as new needs arise eg VLAN30 for NAS devices I dont want exposed to the network etc.
I would create an entirely separate vlan for managing your network devices, not in use by or for anything else.
so re: vlans, are you trying to use your SonosConfig SSID on any repeater APs? If I recall correctly, you’ve got a bunch of repeaters.
Due to the nature of the mesh, vlan tags aren’t maintained across it: https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Extending_the_LAN_with_a_Wireless...
“VLAN tags are not maintained across wireless mesh links, any VLAN tags applied by wired infrastructure will be stripped before sent across the air.“
Crikey. Yea this is on a repeater... But interestingly enough I am currently trenching that route to this building and should have CAT7 installed (I have 10GbE NAS devices I use around the property 😎) by Monday or Tuesday which would be a game changer here. How funny. Turning on VLANs on that SSID does seem to be affecting it though like I said above. I wonder why. I haven’t touched the settings on the MX yet. But honestly just nerfing TCP/IP on that SSID does what I need lol. And I’d like to learn how to do this right and not ghetto-net.
So when I do enable VLAN tagging I will need to check the box for each ethernet port I want to have included in each VLAN, correct?
What will I need to do here:
My thinking is the next thing I do is go to the SSID access settings but then I see this:
and am not quite sure how to think about this. Does that stay 1? Do I add a VLAN #2?
Yes, for the SSID used by your Sonos equipment you need to enter 2 next to "All other APs". For your main SSID it stays 1.
If you're interested in the why of that "Add VLAN" button, read on:
It looks a bit weird because there's a feature called per-AP VLAN tagging. That feature allows to spread users of a single SSID over multiple VLANs in large campus deployments. In these high-density environments you don't want everyone in a single VLAN because you would get too much broadcast traffic in a single VLAN, but you still want to keep a single SSID for roaming and ease of configuration purposes.
That's why you can click that "Add VLAN" button. Campuses can use tags to determine in what VLAN users are dropped when they connect to a certain SSID via a certain AP. For example you could have one VLAN per floor. You'd then tag all APs with a label of the floor they're on and then with the "Add VLAN" function you could define which VLAN their clients are put in depending on the floor they're on:
Thank you! What behavior can I expect on non-gateway AP? As mentioned above it sounds unsupported. The only AP i care about the Sonos network working on is currently wireless and will be wired come Monday or Tuesday of this week. But i have others that are wireless. Will clients on those wireless APs all default to VLAN 1 regardless of their SSID?
In the meantime, is there a port I can block to prevent app access and spotify connect that I could just unblock later? I need of a temporary solution.
What @Nash is talking about is the behavior of connecting a client to the LAN port of a repeater AP (i.e. a wireless mesh bridge). In your case your clients are connected wirelessly, so you don't have to worry about that limitation, it has no effect.
The VLAN the clients end up in will depend on the SSID they're connected to. Whether they connect to a gateway AP or a repeater AP doesn't matter. The only reason we prefer gateway AP's over repeater APs is performance. With repeater APs airtime is used twice for one packet, once for sending the message from the client to the AP and once for sending it from the repeater to the gateway. This effectively halves your performance (each time you introduce a repeater).
What do you mean about blocking the app access. Can you elaborate a bit? Are you talking about clients connected to the SonosControl SSID or the regular SSID?
@BrechtSchamp I meant that if there was a way to do this by known ports etc maybe that could be a workaround for not having a VLAN. But VLAN is working easily now and I am happy. Thank you again so much.
Oh, ah, yes. If the APs are just a mesh with PoE, ignore what I said re: bridges. I think I was thinking of a situation like a client of mine has, where he’s got a wireless bridge to a switch full of APs. Assumptions!
I did it! I got a VLAN up and running for the Sonos and it screens out other traffic. I am ecstatic! Thanks all.
I saw your thread and just want to give my feedback and experience when using Meraki infrastructure with Sonos devices.
I got a similar situation :
- 2x Fiber access at home with a MX68
- connected to a Meraki Switch MS220
- with one MR84 and 5x MR52
Sonos devices in all the property.
I learn the following :
- Sonos does not handle properly when a Sonos instance is running across multiple Meraki MR because they don't handle correctly different BSSID for the same SSID network when having multiple Meraki MR for the same SSID, my workaround for this is not simple :
- put maximum of Sonos devices using LAN network on a specific Vlan
- for Sonos devices using Wifi, I create a specific SSID with the same Vlan than above, on a specific Meraki MR to be sure they don't use multiple Meraki MR devices
Regarding the control and access to Sonos devices, because I am using only AirPlay 2 (all the other traffic is blocked) I have the done the following :
- my main SSID network is using 802.11x and 802.11r (with Fastlane enabled) with Meraki SM (Systems Manager), devices must be enrolled first to access this SSID just with certificate, this SSID has Air Play 2 support. All devices not enrolled cannot access this SSID because they need a device certificate. It's very easy to install.
- my guest SSID using simple WPA2 has AirPlay 2 blocked to the other SSID/Vlan
Here is what I did, hope that could help you.
The AP - MR52 - that I have tagged for my special hidden Sonos-only SSID was a repeater and has since been wired to a port on my MX65 to become a gateway. Yay. But now all my Sonos devices connect to the right SSID and same AP, but pull 169 addresses for some reason. No other changes were made. Right? Wrong? Thoughts? Restart MX?
I have also tried removing the Sonos tag from the AP tags section on its status page as well as deleting and re-adding the VLAN. When I join the hidden network with my Mac I am able to join but my Mac also pulls a 169 IP so its not just the Sonos.
FIXED - I have a netgear switch in the middle and I didnt configure its VLAN settings. Got it.