Hi, one of the schools we look after has had a new install of a stack of two Meraki MS-250 switches, and a number of MR44 WiFi access points.  The school want a guest SSID setting up.   The network has an IP range of 172.16.80.0 - 172.16.83.254, subnet 255.255.252.0, gateway 172.16.83.254   We have a DHCP scope for clients (this is external and not sourced from the switch) that gives out 172.16.81.1 to 172.16.82.254 (172.16.80.x used for servers, switches, printers etc., and 172.16.83.x currently not being used), they all use VLAN 60.   The head wants to introduce a guest WiFi network, but has been advised by the local authority that he must be able to monitor/log what is accessed (using the school's local filtering equipment), therefore we won't be able to set up the built in Meraki guest option where clients get a 10.0.0.0 address, because as far as we can see, all visited sites on the guest SSID would appear on the IP address of the WiFi access point used, with no way of separating it (this option would be perfect otherwise).   I understand the switches support Layer 3 routing - I have no experience at all at this level, so could someone look at what I've got in my head (below) and tell me if it's possible?   Basically, I was thinking that we might be able to tag the guest SSID with it's own VLAN (for instance, VLAN 61) and then, using the built in DHCP server in the switch, have a scope for this VLAN 61 on giving out addresses of 172.16.83.1-172.16.83.100 (utilizing the unused 172.16.83.x range in the network), but (and this is where I'd be completely lost) somehow then send this traffic, which is on the correct IP address but wrong VLAN, across to the correct VLAN (60) and out of the switch in the same way as the normal traffic from VLAN 60.   Is this an option?  I understand we that it would otherwise be an option to keep this guest traffic on it's VLAN 61 until it leaves the switch and have something done at the external firewall side, but we don't have much support from the people who provide our internet and firewall links, so if the guest traffic was able to leave the switch on individual addresses of 172.16.83.x, and be in VLAN 60, that would I think do the job.   Thanks for reading, any tips appreciated. ... View more

Hi, I am part of a small team that look after the technical support for a number of schools.  A local initiative has brought in money to replace the switches and wireless access points in a number of them (most of them currently running a mismatch of legacy equipment toggled together).  Two of the schools have already had their new installs - all Meraki MS switches and MR access points.   Our schools run two separate networks internally that don't see each other, which I'll call office and classroom.  On the older equipment we would VLAN them as 50 for the office network and 60 for the classroom (as per local council requirements).  Each network is fed a separate link to the outside world (50 is behind a authenticated proxy, 60 is filtered but straight out)  The new equipment is primarily to upgrade the classroom network, but if there are spare ports, we are hoping to use them to run the office network as well.   At the first school, the installers (as it's a contract we are not allowed to do it) left everything almost on default.   All ports were still set as trunk, and all were in still members of VLAN 1.  It works, but obviously I needed to get the correct VLANs set up.  The second school, we asked to have VLAN 60 set as the management VLAN from the off, so they put everything in VLAN 60, including making VLAN 60 the native VLAN.   In both schools, I've moved the internet link for the classroom network to a port I've configured in VLAN 60, changed the switch's VLAN to 60, and also changed the overall management VLAN to 60 (in switch settings  - VLAN configuration).  I then changed any edge ports to access ports in VLAN 60 (I've left the ports that the MR access ports use as trunk on VLAN 60, as I understand that allows us to add another SSID on another VLAN further down the line - but that's for another day).   I have also assigned a few spare ports to VLAN 50 for use by the office network when I feel confident in moving them across.   My sticking point is the trunk ports linking switches together.  Trying to follow tips on these forums about native VLAN best practices, in school A I have made the native VLAN on these to VLAN 777, which on purpose doesn't exist.  I put VLANs 50 and 60 as the only allowed VLANs across the links.   In school B, I removed the native VLAN altogether on the links, and again the only allowed VLANs across are 50 and 60.  Both seem to work - I can still manage the far switches on the ends of the trunks, and machines connected to them receive their data.  However, on this Meraki document I see the statement:   Note: Meraki management traffic destined for the Cloud is forwarded onto the wired network untagged. On an 802.1Q trunk, untagged traffic is placed on the native VLAN. The native VLAN should be the same for all interconnected switches and routers on the LAN and have a routing interface with a path to the Internet.    Does that mean I should be using my internet facing VLAN of 50 as the native VLAN for all the trunk links?   I'm totally stuck as to which of these methods I should be using - could somebody shed some light?  Many thanks.   ... View more

Hello, I've been asked to introduce myself - I'm Ian from the UK, I'm one of a small team of techs looking after our local primary schools.  I've configured 'the basics' (IP addressing, VLANs) on Cisco Catalyst and HP switches for a good number of years, but some of our schools are beginning to upgrade, and we've gone in the direction of Meraki MS switches and MR Wi-Fi access points.   I'm hoping to learn the best practices for the configuration and use of this equipment.  Fun fact (if you are in the UK) I once chased John McCririck across a field whilst drunk - that's the best I can think of at the moment!  Thanks 🙂 ... View more