Meraki

Community

COnfiguration question with MX MS and MR

Solved
js7
Here to help
‎Nov 27 2021 6:15 PM
‎Nov 27 2021 6:15 PM

COnfiguration question with MX MS and MR

Take a look at screenshot. I want to setup my MX to handle all the DHCP services. I am trying to figure out how to create the SSIDs on the MR to correspond to the VLAN created on the MX. 

 

 

0 Kudos
1 Accepted Solution
In response to js7
Ryan_Miles
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Nov 28 2021 8:59 AM
‎Nov 28 2021 8:59 AM

That is tunneling the SSID to your MX. That is typically used for remote teleworker deployments where the AP is remote and tunnels over the internet back to the MX. I wouldn't use that mode in your topology.

View solution in original post

13 Replies 13
Ryan_Miles
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Nov 27 2021 8:33 PM
‎Nov 27 2021 8:33 PM

Make the port on the MX a trunk. Make the ports of the switch connected to the MX and the MRs trunks. Last, on the SSIDs use bridge mode and specify the tagged VLAN. That'll do it.

 

Here's an example of my SSID putting clients on VLAN 80.Screen Shot 2021-11-27 at 8.32.28 PM.png

js7
Here to help
‎Nov 28 2021 5:06 AM
‎Nov 28 2021 5:06 AM

I actually got it to work a different way before I saw your post. I want to decrease the size of my broadcast domain, and increase security. So if I choose the L3 roaming with a concentrator. Doesn't that do what I need it to do?

 

 

0 Kudos
In response to js7
Ryan_Miles
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Nov 28 2021 8:59 AM
‎Nov 28 2021 8:59 AM

That is tunneling the SSID to your MX. That is typically used for remote teleworker deployments where the AP is remote and tunnels over the internet back to the MX. I wouldn't use that mode in your topology.

js7
Here to help
‎Nov 28 2021 5:10 AM
‎Nov 28 2021 5:10 AM

Also, take a look at this screenshot of my MX. It says Native VLAN is 120, why can't it be 160?

 

 

0 Kudos
In response to js7
ww
Kind of a big deal
Kind of a big deal
‎Nov 28 2021 8:26 AM
‎Nov 28 2021 8:26 AM

You can edit that port and choose  the native vlan. Also change it on the switch side to the same vlan

js7
Here to help
‎Nov 28 2021 5:38 AM
‎Nov 28 2021 5:38 AM

Another ? is that I can't seem to ping any of my MX ip's from the 140 vlan wirelessly... Perhaps something needs to be configured on the switch?

0 Kudos
js7
Here to help
‎Nov 28 2021 9:40 AM
‎Nov 28 2021 9:40 AM

I was able to update my native vlan to the choice of my choosing being 160. I was able to change the SSID traffic to go via bridge using a vlan ID, instead of the L3 roaming option.

 

However, I still can't ping any of the gateway's of the vlans. Thoughts?

0 Kudos
In response to js7
Ryan_Miles
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Nov 28 2021 9:47 AM
‎Nov 28 2021 9:47 AM

On page Wireless > Firewall & traffic shaping is the first rule showing as Deny or Allow? It needs to be Allow if this is an internal/employee SSID.

0 Kudos
js7
Here to help
‎Nov 28 2021 9:52 AM
‎Nov 28 2021 9:52 AM

Thanks first rule shows Deny, but how do I specify which wireless clients can access the LAN, and what exactly is the LAN? so I know which network?

 

 

0 Kudos
In response to js7
Ryan_Miles
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Nov 28 2021 9:55 AM
‎Nov 28 2021 9:55 AM

Local LAN is a default object for subnets 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. So you want this set to Allow so clients can access internal resources. If you want to lock things down you can add more explicit rules or do it at the MX.

js7
Here to help
‎Nov 28 2021 9:59 AM
‎Nov 28 2021 9:59 AM

Thanks, I want to lock it down more, really what I am trying to do is lock down the network subnet by vlan. 

 

SO is it best to do it at the MX? For example. I don't want these three subnets to be able to access the LAN.

 

 

0 Kudos
js7
Here to help
‎Nov 28 2021 10:53 AM
‎Nov 28 2021 10:53 AM

I wonder why I can't ping the NVR at 10.10.120.4 or a camera at 10.10.130.3 on the 10.10.140.0 subnet??? 

0 Kudos
js7
Here to help
‎Nov 28 2021 11:01 AM
‎Nov 28 2021 11:01 AM

My problem is 10.10.120.4 is showing VLAN 160 in the arp table, and it should be 120.

 

 

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.