× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Start a New Discussion

Start a New Discussion

Orbi WiFi 7 RBE973

VLAN Tagging Meraki AP

ashy516
Aspirant
Aspirant
‎2021-03-10 05:59 AM
‎2021-03-10 05:59 AM

VLAN Tagging Meraki AP

I've listed the equipment I have installed on my network. Everything is operational, with the exception of the VLAN tagging for Meraki APs. I've Tagged VLAN 10 and 15 for these devices and VLAN 10 as PVID. The issue I'm having is when I configure the SSIDs tagging on the proper VLANs (10 & 15), the clients can't retrieve IP addresses from DHCP Server (ASA). See attached diagram. 

Cisco ASA Firewall 
- Internet
- Routing
- Network DHCP Server

Netgear GS728TP
- VLANs (5,10,15,20, 50)

Meraki APs
- Access to 2 VLANs (10 & 15)

In the Cisco realm, the proper command looks like this

interface GigabitEthernet1/0/1

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 10

 switchport trunk allowed vlan 2,5,10,15
 switchport mode trunk

How best to achieve this task on Netgear switches?

Thank you in advance

Model: GS728TP|ProSafe 24 ports PoE Smart switch with 8 PoE+ ports
Message 1 of 3
0 Kudos

Accepted Solutions
schumaku
Guru Guru
Guru
‎2021-03-11 04:15 AM
‎2021-03-11 04:15 AM

Re: VLAN Tagging Meraki AP

The problem here seems to be the understanding of configuring the ASA resp. the Meraki AP with it's definition of the "native VLAN".

 

The Netgear switches are - except of the PVID part - pretty clear and translate the VLAN basics well.

 

@ashy516 wrote:

How best to achieve this task on Netgear switches?

To start with, get a plan, write down what you need, remove things not required, and learn the language and slng of the three products are talking... Oh and to start you need to understand that it's not "tagging" what makes up a VLAN. On the network itself, it's all about VLAN, and for a trunk defining which VANs are tagged, and which one (one!) is untagged. Hint: Meraki and sometimes Cisco does designate this as "native VLAN".  

 

@ashy516 wrote:

I've Tagged VLAN 10 and 15 for these devices and VLAN 10 as PVID.

This does already sound wrong. At the same time, it's the only "special" part the Netgear Smart Managed switches have the PVID does designate the VLAN where incoming untagged frames will be assigned to. If VlAN 10 needs to be untagged, configure VLAN 10 [U]ntagged and PVID 10.

 

@ashy516 wrote:

Cisco ASA Firewall 
- Internet
- Routing
- Network DHCP Server

The ASA port and the switch port must be defined the same - all VLANs tagged, except if there is the intention to keep one untagged (as done on the Meraki).

 

@ashy516 wrote:

Netgear GS728TP
- VLANs (5,10,15,20, 50)

Meraki APs
- Access to 2 VLANs (10 & 15)

...
 switchport trunk allowed vlan 2,5,10,15

Somehow, there seems to be a mess with the VLAN (e.g. 2 vs. 20). And if you need only 10 and 15 on the Meraki, what are 2, 5 for?

 

@ashy516 wrote:

Meraki APs
- Access to 2 VLANs (10 & 15)

...
switchport trunk encapsulation dot1q

 switchport trunk native vlan 10

 switchport trunk allowed vlan 2,5,10,15
 switchport mode trunk

Netgear switch port to connect to the Meraki AP configured as a trunk:

 

VLAN 1 [ ]  ...empty, not participating (essential!)

VLAN 10 [U]ntagged   ...you set it as native(!)
PVID 10 ...as explained above, untagged frames to VLAN 10.

VLAN 20 [T]agged 

VLAN xx [ ] ...empty, not participating, xx applies to all other VLANs like 2,5,20,50 (just picked all you listed) 

 

A similar config for the ASA port (or a LAG) ... essential is that you have the same on the ASA and on the switch side.

 

Ensure you have always only ONE VLAN as [U]ntagged and the same PVID set on a port in a 802.1q environment.


No rocket science as I said. No magic config, dependencies, complex CLI, ... just basic VLAN networking.

 

Enjoy,

-Kurt

View solution in original post

Message 2 of 3

All Replies
schumaku
Guru Guru
Guru
‎2021-03-11 04:15 AM
‎2021-03-11 04:15 AM

Re: VLAN Tagging Meraki AP

The problem here seems to be the understanding of configuring the ASA resp. the Meraki AP with it's definition of the "native VLAN".

 

The Netgear switches are - except of the PVID part - pretty clear and translate the VLAN basics well.

 

@ashy516 wrote:

How best to achieve this task on Netgear switches?

To start with, get a plan, write down what you need, remove things not required, and learn the language and slng of the three products are talking... Oh and to start you need to understand that it's not "tagging" what makes up a VLAN. On the network itself, it's all about VLAN, and for a trunk defining which VANs are tagged, and which one (one!) is untagged. Hint: Meraki and sometimes Cisco does designate this as "native VLAN".  

 

@ashy516 wrote:

I've Tagged VLAN 10 and 15 for these devices and VLAN 10 as PVID.

This does already sound wrong. At the same time, it's the only "special" part the Netgear Smart Managed switches have the PVID does designate the VLAN where incoming untagged frames will be assigned to. If VlAN 10 needs to be untagged, configure VLAN 10 [U]ntagged and PVID 10.

 

@ashy516 wrote:

Cisco ASA Firewall 
- Internet
- Routing
- Network DHCP Server

The ASA port and the switch port must be defined the same - all VLANs tagged, except if there is the intention to keep one untagged (as done on the Meraki).

 

@ashy516 wrote:

Netgear GS728TP
- VLANs (5,10,15,20, 50)

Meraki APs
- Access to 2 VLANs (10 & 15)

...
 switchport trunk allowed vlan 2,5,10,15

Somehow, there seems to be a mess with the VLAN (e.g. 2 vs. 20). And if you need only 10 and 15 on the Meraki, what are 2, 5 for?

 

@ashy516 wrote:

Meraki APs
- Access to 2 VLANs (10 & 15)

...
switchport trunk encapsulation dot1q

 switchport trunk native vlan 10

 switchport trunk allowed vlan 2,5,10,15
 switchport mode trunk

Netgear switch port to connect to the Meraki AP configured as a trunk:

 

VLAN 1 [ ]  ...empty, not participating (essential!)

VLAN 10 [U]ntagged   ...you set it as native(!)
PVID 10 ...as explained above, untagged frames to VLAN 10.

VLAN 20 [T]agged 

VLAN xx [ ] ...empty, not participating, xx applies to all other VLANs like 2,5,20,50 (just picked all you listed) 

 

A similar config for the ASA port (or a LAG) ... essential is that you have the same on the ASA and on the switch side.

 

Ensure you have always only ONE VLAN as [U]ntagged and the same PVID set on a port in a 802.1q environment.


No rocket science as I said. No magic config, dependencies, complex CLI, ... just basic VLAN networking.

 

Enjoy,

-Kurt

Message 2 of 3
ashy516
Aspirant
Aspirant
‎2021-03-13 12:48 PM
‎2021-03-13 12:48 PM

Re: VLAN Tagging Meraki AP

Well said and thank you. I was able to get everything configured properly.

Message 3 of 3
0 Kudos
Top Contributors
See All
Discussion stats
  • 2 replies
  • ‎2021-03-10 05:59 AM
  • 4877 views
  • 2 kudos
  • 2 in conversation
Announcements