Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6870
Views
8
Helpful
5
Replies

Management Traffic Best Practice

Go to solution
daniel espinal
Level 3
Level 3

‎04-04-2018 08:39 PM

On a traditional Cisco network set up, I'd have a management VLAN that is only accessible from a port on a switch in a locked network closet or through a VPN connection that only network Admins have access to. This way the management traffic never touches normal traffic.

Ideally I'd set up a serial console server to which I'd have to hardwire and just access the CLI though that never even putting the management traffic on a network.

Lastly I was taught that no traffic should ever be flowing on the native VLAN. all native VLAN traffic should be dropped at the router. The thinking behind this is that nothing on your network should be untagged. All traffic entering your network should be placed on a VLAN. The native VLAN should be some obscure VLAN not used. It should never be VLAN1

With Meraki can I have the same level of control over the management traffic? Can I have all my equipment on a Management VLAN?

What's the best practice for Meraki concerning the IP addresses of their equipment?

Coming from the IOS world to the meraki platform is sort of like a WIndows guy moving to an OSX environment. Computing in general is universal it's the details that are different. I hope this all makes sense.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Uberseehandel
Level 8
Level 8

‎04-04-2018 10:32 PM

It may, or may not be best practice, but I have been able to ensure that

  • Everything on a trunk is tagged
  • a separate management VLAN is used
  • nothing is untagged
  • native/untagged is not used
  • unoccupied ports are disabled

Under certain circumstances, the controller may insist that a VLAN be assigned, in which case, I select a non-existent VLAN number, unsurprisingly, 101 is the logical selection.

In a world where we do not have control over all the "smart"/IoT devices in our environment, unwelcome activities are much more easily detected, in our case a VLAN turning up on an uplink, being used by a Zigbee/LTE device installed by the energy supplier.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

View solution in original post

5 Replies 5

Go to solution
Uberseehandel
Level 8
Level 8

‎04-04-2018 10:32 PM

It may, or may not be best practice, but I have been able to ensure that

  • Everything on a trunk is tagged
  • a separate management VLAN is used
  • nothing is untagged
  • native/untagged is not used
  • unoccupied ports are disabled

Under certain circumstances, the controller may insist that a VLAN be assigned, in which case, I select a non-existent VLAN number, unsurprisingly, 101 is the logical selection.

In a world where we do not have control over all the "smart"/IoT devices in our environment, unwelcome activities are much more easily detected, in our case a VLAN turning up on an uplink, being used by a Zigbee/LTE device installed by the energy supplier.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

Go to solution
simple818
Level 9
Level 9
In response to Uberseehandel

‎04-05-2018 08:19 AM

You can put all your devices on a management vlan but that management vlan will need internet access so the devices can checkin to the dashboard and be managed. There isn't much of a local managed option, so the serial/local old school way of implementing won't really work.

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

Go to solution
Uberseehandel
Level 8
Level 8
In response to simple818

‎04-05-2018 09:01 AM

@simple818wrote:

. . . so the serial/local old school way of implementing won't really work.

Nevertheless, the IT industry does this sort of thing all the time.

  • all those DBAs trying to manage all DBMS as if they were Oracle (which is a job creation scheme for DBAs)
  • all those Netware trained engineers trying to design and manage networks the Novell way
  • all those web developers who could understand RDBMS and reinvented the wheel, badly (NoSQL)
  • all those flawed programming/scripting languages full of faults we knew were best avoided over 50 years ago
  • All those Unix sys admins trying to manage AIX as if it were SunOS
Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

Go to solution
simple818
Level 9
Level 9
In response to Uberseehandel

‎04-05-2018 12:16 PM

@Uberseehandel totally not saying its the wrong way to do it. Just that it's trying to make an old solution work with hardware that has a new approach.

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

Go to solution
Uberseehandel
Level 8
Level 8
In response to simple818

‎04-05-2018 12:53 PM

@simple818

I'm totally agreeing with you.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Customers Also Viewed These Support Documents