Hi folks. I recently started working at a small local school system as a technician on their IT team. We have a Meraki setup here that spans 5 school buildings here in town. Our Meraki Network is pretty basic, as far as I can gather and see from the dashboard. Networking/Meraki isn't my role, but there is a need for someone to step up and climb in, and I want that person to be me ;). There are a few pain points they're trying to address right now. At the high school campus, kid's laptops (Chromebooks) will drop off Wi-Fi fairly frequently. I can provide any requested information from my dashboard to answer any questions.
Second, we have a satellite school that's a little further away in a rural township that's a part of our system. Kids and teachers are seeing an issue where they get a "page cannot be loaded" error in their browser until they refresh and try again, I think it's when they first turn their devices on in the morning. My thinking is that there's a Wi-Fi issue there as well. All of our schools have their own Meraki hardware, but they all loop back through our Middle School as a control center. Again, I can provide more answers as needed.
Some observations I'd love to chat about:
1) It looks like our Middle School facility is on VLAN 1. I have been doing some research where people are saying not to use VLAN 1. Another management VLAN can be designated, but I didn't know if it was as simple as that with no 'side effects'.
2) Should all Wi-Fi devices be on their own VLAN for optimizing traffic? It was a suggestion I read elsewhere, I just want to sound it out and reason on it.
3) Would tagging or subnets be useful for a small school system? I am seeing that not much is tagged, and I think there are very few subnets here as well. Is a subnet indicated by an IP address ending with a /28 or a similar value?
Thank you very much for your guidance and help.
Hi, your questions seem to be more about general networking best practices outside of your connection dropping Wi-Fi.
In any environment where you have multiple use cases for networked devices you should consider using VLAN's. This means the following: If you have teacher pc's, put them in a VLAN, if you have switches, put their management IP's in a VLAN. If you have printers, put them in their own VLAN.
For structured addressing: if the organization or school group has no more than 255 locations then you are safe to carve out a /16 for each location (for example: location 52 gets the IP space 10.52.0.0/16) Then you can further carve up that address space into /24's for local VLAN's. You can use different masks but it makes it so much easier for your management if you can keep at the 3rd octet boundary for your VLAN's. So if printers are for example the 3rd VLAN you can use 10.52.3.0/24).
The advantage VLAN's give is the following: you create smaller broadcast domains for light devices like IoT devices to not fail due to too many broadcasts and you force traffic to other devices types to pass over a layer 3 switch or a firewall so you can apply policy.
The reason why VLAN 1 is disliked is because there are many peculiarities in VLAN 1 and each networking vendor has some special meaning for it making the behavior not quite defined and in networking you don't want your network to have undefined behavior.
When building out your network, use tried and true designs:
If having a single building or a few buildings touching each other then just have a 2 tier architecture with a stack of 2 layer 3 distribution switches and have each networkingcloset connect back to those distribution switches via at least 2 fiber links with a few spare fiber strands for easy replacement if needed). Each closet should have or a single switch or a stack of switches, never daisy chain switches. Make sure your uplink bandwidth over subscription does not exceed 20:1 (this means if you are connecting 20 ports of 1 gig on a switch or stack your uplink to the distribution switches need to have at least 1 Gig. If you exceed those 20 ports you need more bandwidth and consider using 10 gig links. Failure to do so will cause more uplink packet drops. If you have multiple buildings that are too far together to connect each closet, consider multiple distribution switch pairs and connect these in a full mesh with the other distribution blocks. However when you have more than 3 distribution blocks consider having a 3 tier architecture having core switch pair that connects all distribution switches.
As far as your Wi-Fi drops go: try to find out why the connection is dropping
- RF issues: too little coverage (could be AP's at maximum power and still too little receive power = bad coverage), too much interference from neighboring AP's, too busy channels
- NIC driver issues: devices can behave poorly due to firmware issues. if a specific wifi chip is having issues try to identify it and update all the devices of a certain chip.
- AP issues: yes Meraki devices can have bugs. A reboot or firmware update can sometimes offer solution.
- External server issues: DHCP, DNS, Radius, all these protocols need to run correctly and can cause issues on your network.
Thank you! Lots for me to consider. I am essentially a Networking amateur so I will likely have follow up questions. I'll start with two for right now.
1) It looks at the top level (here at our Middle School location) that our entire High School campus is on a single VLAN. Should I look into parting that out into additional ones, and having more VLANS might smooth out network usage there?
2) Do you recommend that I get our Middle School off VLAN 1 and onto another one during the summer while the stakes are low?
Thank you very much, sorry for the ignorance of my questions, I'm really trying to cram knowledge to make up for my lack on Networking.
So everything is on VLAN, does that also mean you are running one single IP subnet? What is the prefixlength or the mask of that network and how many devices are on there?
If you are for example running a /16 (255.255.0.0) subnet and serving 1000 or more clients then I bet your broadcast traffic must be quite high which can cause devices with a light process like IoT devices to behave erratically and needing multiple reboots.
I personally only go to a larger network than a /24 (255.255.255.0) if we are talking about Guest VLAN's because these usually only exist on wireless and can be isolated so they only can send to and receive from their default gateway.
When school is out, IT is in rebuilding the system.
I would advise first to think about how you would want to segment your network. What device types you would like to be on their separate network (security wise and performance wise) and write that stuff down. Once that is done you can start making an IPAM document which can simply be an excel sheet that contains all your VLAN descriptions, ID's, gateway IP's, DHCP scopes, DNS assignments, wirecolor if you want to use UTP patchcable colors per VLAN. At this point you will need to decide where you want to route. Is it on your distribution/core switch or on the firewall. This depends heavily on the scale of your network and how much east west traffic you are expecting. (east-west means traffic between local VLAN's) If that volume is high then you could run into the limitations of your firewall and should use the switch instead for routing. Also how your layered switch architecture is structured you could be forced to use the core/distribution switch as L3 hop.
Then when your design is done and the summer vacation is here you can start by creating the VLAN's and their interfaces on the device you will be routing on and then test by moving one device on it. After succesful tests you can gradually move all devices to the new VLAN.
Yes, as far as I can tell, the Middle School LAN is a single IP with a /22 on it. There's only 76 clients right now but kids are gone for the summer. Lots to think about in your second to last paragraph, and I've been getting ideas together in the last few days, but I'm far from proficient in all this. When you say "If the volume is that high" what would you call high? I need to find out how many devices will be online during the school year since I just started last week and am still not sure of the scale we're dealing with. I know it's nowhere near 1000, but it might be around 150 in this particular school. Why/what benefit is there to have Guests only send and receive to their default gateway? Thanks!
You can assign a VLAN to an SSID (Wi-Fi Name), each SSID can have its own VLAN tag. However its recommended not to have too many active SSIDs... at my org we try to have our IT equipment wired on its own VLAN, and if there is anything that is only wireless we use an SSID that still tags the device to put it in the IT VLAN.
To setup VLAN tagging per SSID go to
Wireless > Access Control > VLAN Tagging
Thank you! Right now we have a Teacher SSID, a Student SSID, two for guests and one for Visitors. It's our plan to shut off the ones for guests and visitors soon. I will look into getting student traffic on it's own VLAN.