Table of contents
It is often necessary to configure VLANs on your network to
limit broadcast traffic, segment traffic, or restrict traffic for security
reasons. If you already have VLANs implemented on your wired network, you
can extend this to your wireless network as well with MR Access Points
which support IEEE 802.1Q VLAN tagging in Bridge mode. These
VLAN tags can be applied per-SSID, per-user, per-device
or per-AP.
This
article describes how MR Access Points perform VLAN tagging on client data
received on a specific SSID and provides a step by step process to set
per-SSID VLAN tagging in Dashboard.
Per-SSID VLAN tagging in Meraki APs
If Bridge
mode is configured with an assigned VLAN tag on a SSID, wireless client traffic
(Data) on this SSID will be tagged with the configured VLAN number when
forwarded to the switch. On the other hand, AP management traffic will be sent
untagged to the switch. The following diagram shows the data flow between
wireless clients, the AP and the switch:
Gateway
access points must be uplinked directly to an 802.1Q trunk port on the upstream
switch when VLAN tagging. A DHCP service will need to be running on the
native VLAN or a static IP address on the native VLAN can be assigned to the
access point.
Note: Meraki management traffic destined for the Cloud is
forwarded onto the wired network untagged. On an 802.1Q trunk, untagged traffic
is placed on the native VLAN. The native VLAN should be the same for all
interconnected switches and router on the LAN and have a routing interface with
a path to Internet.
The
following requirements must be met in order for 802.1Q VLAN tagging to function
properly:
·
All APs must be configured with an IP address on the native VLAN
either statically or by DHCP.
·
The switch port the Cisco Meraki AP is connected to should be
configured as an 802.1Q trunk port.
·
The trunk port should be configured for 802.1q trunk
encapsulation which is an IEEE standard.
·
The trunk port should be set to allow all the VLANs that will be
tagged on each SSID.
·
Each SSID in Dashboard should be tagged with a VLAN that is
routable and configured throughout your local switching fabric.
·
VLAN tagging is only available in Bridge mode, which is a
feature available to Enterprise customers.
·
Management traffic from the Cisco Meraki APs should be allowed
to bypass any Content Filtering or Proxy.
·
For information on configuring particular switches for 802.1Q,
please consult the switch manufacturer's documentation.
Setting Per-SSID VLAN Tagging in
Dashboard
1.
Under Configure > Access control > Addressing
and traffic, select "Use VLAN tagging" from the drop down menu.
2.
Configure SSID-wide single VLAN tags or per-AP multiple VLAN
tags.
o SSID-wide
single VLAN tagging
In the "All other APs" box, enter the VLAN ID you want the client traffic on that SSID to be tagged as. Under this setting, all APs in your wireless network will apply the specified tag on client traffic in that SSID. Click on "Save".
In the "All other APs" box, enter the VLAN ID you want the client traffic on that SSID to be tagged as. Under this setting, all APs in your wireless network will apply the specified tag on client traffic in that SSID. Click on "Save".
Click on "Add VLAN". Enter the AP tag that identifies the AP (or APs) you want to set for a specific VLAN tagging. Repeat this step for each AP tag group in which want to apply a specific VLAN tagging on their clients for this specific SSID. Here, AP tags are used to further customize your per-SSID VLAN configuration. Click on "Save".
Note: AP tags are case sensitive
Any SSIDs
that should be using the native VLAN of the trunk port the AP is connected should
not be tagged by the AP. Upstream switching devices must be configured to
forward untagged traffiic on the native VLAN.
