SSID and native VLAN

SOLVED
br_BlueTie
Conversationalist

SSID and native VLAN

Hi,

 

I've seen a couple of posts with similar problems, but I'm looking to understand the problem a bit deeper.

I have MS120 switches, MR44 APs and two SSIDs (guest and internal).

I would like to tag guest with vlan 10 and internal with vlan 20 but the problem is that vlan 20 is also the native vlan on the trunk port between swiches and APs, so the SSID internal won't receive IP addresses if I tag it. If I don't tag it, it works.

 

So the questions are:

1. Is there a way to tag vlan 20 if I only have those two vlans and vlan 20 is used as native on the network?

2. If I don't tag vlan 20 I see that wireless clients have "native" instead of the vlan number in the column "current vlan" under connected devices. Since vlan 20 is also used for wired clients and native vlan, would that mean the wireless clients can communicate with wired clients on vlan 20? That the wireless clients would still be in vlan 20 because it is the native vlan? Does the native vlan tag them then?

3. Are there any security issues or other problems by only tagging the SSID guest and not internal?

4. When I go to the summary page on either switches or APs, under "LAN IP" and click on the pencil, I can set a VLAN under DHCP. What does this do?

1 ACCEPTED SOLUTION
ww
Kind of a big deal
Kind of a big deal

It would be better to use management-native vlan for your network devices. Then you can use tag vlan on the ssids.

 

1, no

2, yes clients on native vlan are in vlan 20. And can communicate  with wired clients in vlan 20. Maybe  also to other vlans but that depends on your firewall  rules.

3. Not really, unless you have some vurnerable devices  in vlan 20.

4. Then that device wil try to get its management ip on that vlan, mr will send tagged dhcp request but it will fail.

 

 

View solution in original post

4 REPLIES 4
ww
Kind of a big deal
Kind of a big deal

It would be better to use management-native vlan for your network devices. Then you can use tag vlan on the ssids.

 

1, no

2, yes clients on native vlan are in vlan 20. And can communicate  with wired clients in vlan 20. Maybe  also to other vlans but that depends on your firewall  rules.

3. Not really, unless you have some vurnerable devices  in vlan 20.

4. Then that device wil try to get its management ip on that vlan, mr will send tagged dhcp request but it will fail.

 

 

br_BlueTie
Conversationalist

Okey. Thanks for clearing that up!

I only have those two networks so vlan 20 is set as the management vlan under switch settings -> management vlan. So the devices have IPs in vlan 20.

But I need to use native vlan on the trunk ports to the APs for them to send dhcp requests, right?

And because the management vlan and the native vlan are the same I can't tag vlan 20 on the ssid. So the best would be to use vlan 20 only as management and native, and create a third network(vlan 30) that would replace vlan 20 as the internal network? Did I understand that correctly?

Are there any problems leaving it as it is?

Bruce
Kind of a big deal

Yes, if you want to tag the internal traffic then creating a new VLAN is probably the easiest solution. You can the leave he APs on the native VLAN (VLAN 20), and change the SSID for internal clients to use VLAN 30. You’ll also need to configure a new DHCP scope for VLAN 30 and, and if the DHCP server isn’t actually on VLAN 30, then configure a DHCP relay/forwarder on the Layer 3 interface for the VLAN.

 

There shouldn’t be any problems leaving it as it is. As has been said though, it’s recommended to keep management traffic on its own VLAN.

br_BlueTie
Conversationalist

I see. Thanks!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels