NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
VLAN Tagging Meraki AP
I've listed the equipment I have installed on my network. Everything is operational, with the exception of the VLAN tagging for Meraki APs. I've Tagged VLAN 10 and 15 for these devices and VLAN 10 as PVID. The issue I'm having is when I configure the SSIDs tagging on the proper VLANs (10 & 15), the clients can't retrieve IP addresses from DHCP Server (ASA). See attached diagram.
Cisco ASA Firewall
- Internet
- Routing
- Network DHCP Server
Netgear GS728TP
- VLANs (5,10,15,20, 50)
Meraki APs
- Access to 2 VLANs (10 & 15)
In the Cisco realm, the proper command looks like this
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 2,5,10,15
switchport mode trunk
How best to achieve this task on Netgear switches?
Thank you in advance
The problem here seems to be the understanding of configuring the ASA resp. the Meraki AP with it's definition of the "native VLAN".
The Netgear switches are - except of the PVID part - pretty clear and translate the VLAN basics well.
ashy516 wrote:How best to achieve this task on Netgear switches?
To start with, get a plan, write down what you need, remove things not required, and learn the language and slng of the three products are talking... Oh and to start you need to understand that it's not "tagging" what makes up a VLAN. On the network itself, it's all about VLAN, and for a trunk defining which VANs are tagged, and which one (one!) is untagged. Hint: Meraki and sometimes Cisco does designate this as "native VLAN".
ashy516 wrote:I've Tagged VLAN 10 and 15 for these devices and VLAN 10 as PVID.
This does already sound wrong. At the same time, it's the only "special" part the Netgear Smart Managed switches have the PVID does designate the VLAN where incoming untagged frames will be assigned to. If VlAN 10 needs to be untagged, configure VLAN 10 [U]ntagged and PVID 10.
ashy516 wrote:Cisco ASA Firewall
- Internet
- Routing
- Network DHCP ServerThe ASA port and the switch port must be defined the same - all VLANs tagged, except if there is the intention to keep one untagged (as done on the Meraki).
ashy516 wrote:Netgear GS728TP
- VLANs (5,10,15,20, 50)Meraki APs
- Access to 2 VLANs (10 & 15)...
switchport trunk allowed vlan 2,5,10,15Somehow, there seems to be a mess with the VLAN (e.g. 2 vs. 20). And if you need only 10 and 15 on the Meraki, what are 2, 5 for?
ashy516 wrote:Meraki APs
- Access to 2 VLANs (10 & 15)...
switchport trunk encapsulation dot1qswitchport trunk native vlan 10
switchport trunk allowed vlan 2,5,10,15
switchport mode trunkNetgear switch port to connect to the Meraki AP configured as a trunk:
VLAN 1 [ ] ...empty, not participating (essential!)
VLAN 10 [U]ntagged ...you set it as native(!)
PVID 10 ...as explained above, untagged frames to VLAN 10.VLAN 20 [T]agged
VLAN xx [ ] ...empty, not participating, xx applies to all other VLANs like 2,5,20,50 (just picked all you listed)
A similar config for the ASA port (or a LAG) ... essential is that you have the same on the ASA and on the switch side.
Ensure you have always only ONE VLAN as [U]ntagged and the same PVID set on a port in a 802.1q environment.
No rocket science as I said. No magic config, dependencies, complex CLI, ... just basic VLAN networking.Enjoy,
-Kurt
2 Replies
Replies have been turned off for this discussion
The problem here seems to be the understanding of configuring the ASA resp. the Meraki AP with it's definition of the "native VLAN".
The Netgear switches are - except of the PVID part - pretty clear and translate the VLAN basics well.
ashy516 wrote:How best to achieve this task on Netgear switches?
To start with, get a plan, write down what you need, remove things not required, and learn the language and slng of the three products are talking... Oh and to start you need to understand that it's not "tagging" what makes up a VLAN. On the network itself, it's all about VLAN, and for a trunk defining which VANs are tagged, and which one (one!) is untagged. Hint: Meraki and sometimes Cisco does designate this as "native VLAN".
ashy516 wrote:I've Tagged VLAN 10 and 15 for these devices and VLAN 10 as PVID.
This does already sound wrong. At the same time, it's the only "special" part the Netgear Smart Managed switches have the PVID does designate the VLAN where incoming untagged frames will be assigned to. If VlAN 10 needs to be untagged, configure VLAN 10 [U]ntagged and PVID 10.
ashy516 wrote:Cisco ASA Firewall
- Internet
- Routing
- Network DHCP ServerThe ASA port and the switch port must be defined the same - all VLANs tagged, except if there is the intention to keep one untagged (as done on the Meraki).
ashy516 wrote:Netgear GS728TP
- VLANs (5,10,15,20, 50)Meraki APs
- Access to 2 VLANs (10 & 15)...
switchport trunk allowed vlan 2,5,10,15Somehow, there seems to be a mess with the VLAN (e.g. 2 vs. 20). And if you need only 10 and 15 on the Meraki, what are 2, 5 for?
ashy516 wrote:Meraki APs
- Access to 2 VLANs (10 & 15)...
switchport trunk encapsulation dot1qswitchport trunk native vlan 10
switchport trunk allowed vlan 2,5,10,15
switchport mode trunkNetgear switch port to connect to the Meraki AP configured as a trunk:
VLAN 1 [ ] ...empty, not participating (essential!)
VLAN 10 [U]ntagged ...you set it as native(!)
PVID 10 ...as explained above, untagged frames to VLAN 10.VLAN 20 [T]agged
VLAN xx [ ] ...empty, not participating, xx applies to all other VLANs like 2,5,20,50 (just picked all you listed)
A similar config for the ASA port (or a LAG) ... essential is that you have the same on the ASA and on the switch side.
Ensure you have always only ONE VLAN as [U]ntagged and the same PVID set on a port in a 802.1q environment.
No rocket science as I said. No magic config, dependencies, complex CLI, ... just basic VLAN networking.Enjoy,
-Kurt
Well said and thank you. I was able to get everything configured properly.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
