Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3699
Views
0
Helpful
0
Replies

Native VLAN, DHCP, and Meraki

rcolt
Level 1
Level 1

‎12-05-2017 03:05 PM - edited ‎03-08-2019 01:00 PM

I have done 2 Meraki test deployments, one behind a Fortigate and another behind an ASA. During the Fortigate deployment we found the best way to tackle this was to plug the Meraki into a switchport that had no native trunk VLAN. This would set it to the native VLAN that was allowed across all trunk ports, the IP of the access point would be placed on this network and would then start broadcasting SSIDs and tag them appropriately.

 

While setting this up on a Catalyst/ASA setup I found that no attempt to hand out DHCP was occurring when the switchport was configured with no native trunk port. The appropriate parts of the config look like this :

 

ASA-

 

interface GigabitEthernet1/2.1
vlan 1
nameif meraki
security-level 100
ip address 192.168.1.99 255.255.255.0 standby 192.168.1.98

 

interface GigabitEthernet1/2.10
vlan 10
nameif primary
security-level 100
ip address 10.1.66.1 255.255.255.192 standby 10.1.66.3

 

interface GigabitEthernet1/2.11
vlan 11
nameif test
security-level 100
ip address 10.1.66.65 255.255.255.192 standby 10.1.66.66

 

 

dhcpd address 10.1.66.70-10.1.66.90 test
dhcpd dns 8.8.8.8 4.2.2.2 interface test
dhcpd enable pos

 

dhcpd address 192.168.1.10-192.168.1.30 meraki
dhcpd dns 8.8.8.8 4.2.2.2 interface meraki
dhcpd enable meraki

 

 

3750-

 

(no vlan 1 name applicable)

 

vlan 11
name test

 

interface GigabitEthernet1/0/1

description ap1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/2

description ap2
switchport trunk encapsulation dot1q
switchport mode trunk

 

interface GigabitEthernet1/0/24
description ASA uplink
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10-14
switchport mode trunk

 

interface GigabitEthernet2/0/24

description secondary ASA uplink
switchport trunk encapsulation dot1q
switchport mode trunk

 

interface Vlan10
ip address 10.1.66.2 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp

 

ip default-gateway 10.1.66.1

 

interface Vlan1
no ip address
shutdown
!

 

(switch) show interfaces trunk

 

Port Mode Encapsulation Status Native vlan
Gi1/0/1 on 802.1q trunking 1
Gi1/0/2 on 802.1q trunking 1
Gi1/0/24 on 802.1q trunking 1
Gi2/0/24 on 802.1q trunking 1

 

Port Vlans allowed on trunk
Gi1/0/1 1-4094
Gi1/0/2 1-4094
Gi1/0/24 1-99,101-4094
Gi2/0/24 1-4094

Port Vlans allowed and active in management domain
Gi1/0/1 1,10-14
Gi1/0/2 1,10-14
Gi1/0/24 1,10-14
Gi2/0/24 1,10-14

 

Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/1 1,10-14
Gi1/0/2 1,10-14
Gi1/0/24 1,10-14

 

Port Vlans in spanning tree forwarding state and not pruned
Gi2/0/24 1,10-14

---------

 

This setup does not work. If I set the native trunk vlan to 11 for the 2 access point interfaces it works fine and the access points make DHCP requests without issue. If I turn on DHCP debugging for packets and events I can see the requests hit right after setting the native trunk vlan, however when it is set with no native trunk vlan I do not see any DHCP events. 

 

Alternatively when using a Fortigate with this setup, the access point properly pulls DHCP from the native VLAN. If I no shut the interface vlan1, there is no change. However the vlan1 interface is shut on the Fortigate setup, as I was under the impression it did not need to be enabled with this being native vlan traffic. 

 

Am I missing a step here? Happy to provide any output as needed and I appreciate any assistance! 

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents