VLAN question
-
I have a Meraki firewall configured with 4 VLANs.
VLAN 1 - default 192.168.1.0/24
VLAN 2 - guest 192.168.2.0/24
VLAN 3 - 2nd floor 172.16.0.0/23
VLAN 4 - 2nd fl guest 172.17.0.0/23I am separating out two floors, floor 1 will get VLANs 1 and 2 and floor 2 will get 3 and 4. No communication needs to happen across any of the vlans. The port on the firewall connecting to the first-floor switch is a trunk port on the native VLAN allowing VLANs 1 and 2. The port on the firewall connection to the 2nd-floor switch is also a trunk port allowing VLANs 3 and 4 with 3 being the native VLAN on that port. Because of this, when I configure the VLAN on the switch on floor 2, I currently have VLAN 1 (default), VLAN 3 and VLAN 4, however, VLAN 1 is actually the 172.16.0.0 network. Everything works and I am able to have the guest wifi (VLAN 4) issue from the ap's, however it is a bit confusing as the default VLAN on the switch on floor 2 is actually VLAN 3 on the firewall.
-
This is why most people avoid using vlan's they are confusing and add almost no value. . .
-
What's the question?
-
Would there be a better way to configure this setup so that the vlans on the 2nd floor switch match across the entire site? I was thinking to set all ports, except the trunk port, on the 2nd floor switch to untagged for vlan 3, and excluding vlan 1 and vlan 2 from all ports on the same switch.
-
What is the reason for VLANs in this instance?
-
To provide both a secure and guest wifi access using the same access points across the floors.
-
@i3 said in VLAN question:
To provide both a secure and guest wifi access using the same access points across the floors.
So what's the point of having the two floors different? Just have one VLAN for the production network and one VLAN for the guest network.
-
@i3 Regardless of the need for vlans, setting them up to have the same name/id on each piece of gear is a good idea. Very confusing for others after you, and probably you to visualize.
-
Sorry, the separation of floors is due to a subentity of the main company.
-
@i3 said in VLAN question:
Sorry, the separation of floors is due to a subentity of the main company.
Thanks, that's what I thought but wanted confirmation.
-
@i3 said in VLAN question:
Sorry, the separation of floors is due to a subentity of the main company.
OK assuming you actually need this level of separation, sounds OK.
Can the guest network be the same for both floors? Your diagram shows only one internet connection, so making the guest networks separate might be one step you can discard.
Do you need wired access to the VLANs? If not, you should be able to have the APs put the specific SSID on a specific VLAN, then the ports that go to those APs just need to be trunked for that VLAN.
I might consider the following.
Floor 1 default VLAN for production - no settings VLAN2 - guest Firewall port is aware of default and VLAN2 (only need settings for VLAN2)Floor 2 defautl VLAN for production - no settings VLAN4 - guest Firewall port is aware of default and VLAN4 (only need settings for VLAN4)Assuming the firewall is treating each port as independent, there's not reason to worry about the default VLAN.
Now I await JB telling me WTF.
-
I omitted the 2nd internet connection but yes we have two. Floor 2 uses the second connection to the internet and floor 1 the primary connection. The guest network cannot be the same for both floors. I do require wired access to only vlan 1 on floor 1 and vlan 3 on floor 2.
-
@i3 said in VLAN question:
I omitted the 2nd internet connection but yes we have two. Floor 2 uses the second connection to the internet and floor 1 the primary connection. The guest network cannot be the same for both floors. I do require wired access to only vlan 1 on floor 1 and vlan 3 on floor 2.
Now I'm assuming you're using one firewall to save money?
-
We are using one firewall to take advantage of ISP failover in the event the primary goes down the first floor will failover and use the 2nd floor's internet connection.
-
@i3 said in VLAN question:
Would there be a better way to configure this setup so that the vlans on the 2nd floor switch match across the entire site? I was thinking to set all ports, except the trunk port, on the 2nd floor switch to untagged for vlan 3, and excluding vlan 1 and vlan 2 from all ports on the same switch.
Considering that you say that zero traffic from Floor 1 should interact with traffic on Floor 2, why does it matter if things match across the whole site?
If your router is truly keeping any traffic from Floor 1 from being routed to Floor 2's port, and vice versa, the need to disable VLAN 1 and 2 on Floor 2's switch is meaningless.
Scott just mentioned that he believes that the Meraki might have a switch feature in it's router. If that's the case, and you're not using it, why not disable it.
-
@i3 said in VLAN question:
I omitted the 2nd internet connection but yes we have two.
I'm curious, why two ISPs? There are many reasons, I'm wondering this situation's reason.
-
Two ISP's for failover. We utilize quite a few different cloud services, with hosted phones being one of them.
@dashrender said in VLAN question:
" Considering that you say that zero traffic from Floor 1 should interact with traffic on Floor 2, why does it matter if things match across the whole site?"
To make it easier to visualize and understand for anyone other than me.
@dashrender said in VLAN question:
Scott just mentioned that he believes that the Meraki might have a switch feature in it's router. If that's the case, and you're not using it, why not disable it.
I am not sure I understand this.
-
@i3 said in VLAN question:
@dashrender said in VLAN question:
Scott just mentioned that he believes that the Meraki might have a switch feature in it's router. If that's the case, and you're not using it, why not disable it.
I am not sure I understand this.
If the router has switch ability built in, then the router might allow VLAN1 traffic on all ports of the switch. You don't seem to want this, so you should disable the switch feature, if the router has this feature.
-
A device like this can act in one of two ways. One is as a router, one is as a switch. Many Meraki, I believe, use a switch on the back end. So by default all traffic on the switch ports is comingled. But router ports don't act that way.
-
@i3 said in VLAN question:
Two ISP's for failover. We utilize quite a few different cloud services, with hosted phones being one of them.
So this is failover only? You're not routing traffic for floor 1 out ISP 1 and floor 2 out ISP 2, right?
