SSIDs and VLAN Problem

WhoIsThis
Comes here often

SSIDs and VLAN Problem

I tried typing out the entire setup and it turned into a convoluted mess, so this is the essence of what the problem is:

 

MX67

Port 3 = Store Network - VLAN 1 - Trunk Port - 192.168.101.0/24 - Store SSID

Port 5 = Office Network - VLAN 149 - Access Port - 192.168.0.0/24 - Office SSID

 

x6 MR33 APs

6 SSIDs - 1 Store / 1 Office / 1 Employee / 3 Guest (varying restrictions) - Employee and Guests are in isolated networks.

 

I want all SSIDs to broadcast on all APs, however, when a device connects to the Store SSID on an AP connected to/through port 5, it gets an IP in the Office range. 

 

The 2 networks should be completely independent as I segregated them by VLANs, however, sharing the APs shouldn't be a problem as far as I know, but maybe I'm wrong.

 

I thought the solution was to set Port 5 to a trunk port with the Native VLAN as 149, but that didn't work. The IPs were still from the wrong range, it's like the IPs are sticky to whatever they get, even after refreshing them. This seems like it should be really simple, but I'm clearly missing something.

 

Thanks in advance for any guidance and help.

7 Replies 7
Brash
Kind of a big deal
Kind of a big deal

It's difficult to get an idea of your exact configuration from above but typically you would want to do a trunk port between MX and MR, allowing all of the vlans of your ssid's. The native vlan should be either an unused vlan or the MR management vlan (depending on if you've manually tagged the management vlan on the MR's or not).

Finally, your ssid configuration should do the actual vlan tagging.

 

Can you give us some screenshots of the port config on the MX and the ssid config on the MR?

WhoIsThis
Comes here often

I think this is what you're asking for. If not, I can take some more.

 

The config for both SSIDs are the same, less the WPA key.

 

The trunk port makes sense, and I did try that, but like I said originally, it's like the IPs are too sticky, they stay with the device regardless of which network they are connected to.

MX Port ConfigMX Port ConfigSSID Config 1SSID Config 1SSID Config 2SSID Config 2

Brash
Kind of a big deal
Kind of a big deal

You need to be vlan tagging on the SSID.

 

In the 2nd screenshot, you have "don't use vlan tagging", which means that clients aren't being assigned a vlan based on the SSID. They will instead just get out onto the native vlan.

WhoIsThis
Comes here often

 

I think we're on the same page as that's something else I tried, however, and this may be what threw me off, is the "All other APs" fields, what should that be set as?

 

I haven't implemented the changes, I just want to confirm with the images your recommendations.

VLAN Tagging OfficeVLAN Tagging OfficeVLAN Tagging StoreVLAN Tagging StoreTrunk PortTrunk Port

Brash
Kind of a big deal
Kind of a big deal

So with the config there, you're applying configuration based on AP tags. Are you using tags on your access points?

If not, the "Default" tag applies to all AP's.

Otherwise if you are, you can assign the vlan to the ssid based on AP tag as you have there. 

WhoIsThis
Comes here often

I created tags and implemented them as a workaround to restore the previous physical setup. I used the SSID Availability feature to limit which was broadcast by which AP.

 

What is the alternative to using tags? What is your recommended configuration?

TBHPTL
A model citizen

Are you sure that there is an issue? If you are testing with the same laptop or device make sure that you are looking at the SSID  specific Clients for the past two hours or else you may be fooled into thinking that the wrong subnet is in use... The first time I ran across this with Meraki in 2016, I nearly had a heart attack thinking my guest segment was leaking into my corp VLAN... Why does this happen? The same client accessing multiple segments. If you don't narrow the search it will give you the first record it finds in the client table... So host name searches and MAC searches requires very specific filtering. Also, patience with allowing the cloud to update with the data also helps. i would also move your store segment of off VLAN 1 and onto a differing VLAN as the use of VLAN 1 could cause all sorts of unintended behavior.

TBHPTL_0-1692031062341.png

 



Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels