We are using a single MX80 router that has two VLANs configured, VLAN10 with subnet 192.168.10.0/24 and VLAN20 with subnet 192.168.20.0/24. All untagged traffic was assumed to be on VLAN20. This means if the network traffic is not tagged on the switch, then the router will move the traffic to VLAN20. DHCP is running on the MX80 and is configured to dish out IP addresses to each subnet accordingly. Connected to the MX80 router is one MS22 switch, with one trunk port allowing all VLANs. The first half of the ports on the MS22 switch is tagging traffic for VLAN10 with the second half of the switch ports tagging for VLAN20.
For some reason, when connecting a host to the VLAN10 switch ports, the MX80 was ignoring the VLAN tagging and assigning an DHCP address to the host from the VLAN20 scope - breaking our security model for this network. Any traffic tagged on VLAN10 should be assigned a DHCP IP address on the VLAN10 subnet correct? Well, not exactly. The problem was due to two things:
1) The MX80 was configured to put untagged traffic on VLAN20.
2) The Management VLAN on the MS22 was still set for VLAN 1.
In order to fix this, the solution was simple - change the management VLAN on the MS22 to VLAN 20.
A more secure option was to configure the following:
- Configure a static IP address on the MS22 switch. (This must be the first step!)
- Configure the Management VLAN on the MS22 switch to VLAN 1.
- Configure an Uplink port on the MS22 switch as a trunk port, and set it for native VLAN 1.
- Administratively deactivate the unused ports on the MS22 switch.
- Configure the MX80 to drop untagged traffic.
Here are a few things that I have learned with this type of setup:
- Configure the MS22 switch’s static IP address FIRST before you do ANYTHING ELSE. Not configuring the static IP before setting the option on the MX80 to drop untagged traffic will cause the switch to never be able to check into the Meraki Cloud Controller (MCC \ the Dashboard).
- If you didn’t set the static IP first, then here is what you need to do to fix the problem:
- On the MX80, change the setting for Untagged traffic to VLAN10.
- Wait 2-3 minutes, then check the dashboard to see if the switch has checked in. If not, fully reset the MS22 switch from the Reset button on the front panel.
- Verify that the switch has now checked into MCC.
- Assign the static IP address from the dashboard under Monitor >> Switches >> Choose the switch, under status click SET IP ADDRESS.
So, that is pretty much it. This issue may have been an elementary one, but it all goes back to how VLAN tagging works. I enjoy working with Meraki devices and I have a good feeling that Meraki will continue making more interesting products. As always, feel free to leave a comment below.