Home > Wireless LAN > Client Addressing and Bridging > VLAN Tagging on MR Access Points

VLAN Tagging on MR Access Points

It is often necessary to configure VLANs on your network to limit broadcast traffic, segment traffic, or restrict traffic for security reasons. If you already have VLANs implemented on your wired network, you can extend this to your wireless network as well with MR Access Points which support IEEE 802.1Q VLAN tagging in Bridge mode. These VLAN tags can be applied per-SSID, per-user, per-device or per-AP

This article describes how MR Access Points perform VLAN tagging on client data received on a specific SSID and provides a step by step process to set per-SSID VLAN tagging in Dashboard.

Per-SSID VLAN tagging in Meraki APs

If Bridge mode is configured with an assigned VLAN tag on a SSID, wireless client traffic (Data) on this SSID will be tagged with the configured VLAN number when forwarded to the switch. On the other hand, AP management traffic will be sent untagged to the switch. The following diagram shows the data flow between wireless clients, the AP and the switch:

 

Gateway access points must be uplinked directly to an 802.1Q trunk port on the upstream switch when VLAN tagging. A DHCP service will need to be running on the native VLAN or a static IP address on the native VLAN can be assigned to the access point. 

Note: Meraki management traffic destined for the Cloud is forwarded onto the wired network untagged. On an 802.1Q trunk, untagged traffic is placed on the native VLAN. The native VLAN should be the same for all interconnected switches and router on the LAN and have a routing interface with a path to Internet. 

 

The following requirements must be met in order for 802.1Q VLAN tagging to function properly:

  • All APs must be configured with an IP address on the native VLAN either statically or by DHCP.
  • The switch port the Cisco Meraki AP is connected to should be configured as an 802.1Q trunk port.
  • The trunk port should be configured for 802.1q trunk encapsulation which is an IEEE standard.
  • The trunk port should be set to allow all the VLANs that will be tagged on each SSID. 
  • Each SSID in Dashboard should be tagged with a VLAN that is routable and configured throughout your local switching fabric.
  • VLAN tagging is only available in Bridge mode, which is a feature available to Enterprise customers.
  • Management traffic from the Cisco Meraki APs should be allowed to bypass any Content Filtering or Proxy.
  • For information on configuring particular switches for 802.1Q, please consult the switch manufacturer's documentation.

Setting Per-SSID VLAN Tagging in Dashboard

  1. Under Configure > Access control > Addressing and traffic, select "Use VLAN tagging" from the drop down menu.

 

  1. Configure SSID-wide single VLAN tags or per-AP multiple VLAN tags. 
    • SSID-wide single VLAN tagging
      In the "All other APs" box, enter the VLAN ID you want the client traffic on that SSID to be tagged as. Under this setting, all APs in your wireless network will apply the specified tag on client traffic in that SSID. Click on "Save".

       
    • Per-AP multiple VLAN tagging
      Click on "Add VLAN". Enter the AP tag that identifies the AP (or APs) you want to set for a specific VLAN tagging. Repeat this step for each AP tag group in which want to apply a specific VLAN tagging on their clients for this specific SSID. Here, AP tags are used to further customize your per-SSID VLAN configuration. Click on "Save".
      Note: AP tags are case sensitive

 

Any SSIDs that should be using the native VLAN of the trunk port the AP is connected should not be tagged by the AP. Upstream switching devices must be configured to forward untagged traffiic on the native VLAN. 

You must to post a comment.
Last modified
15:10, 18 Feb 2016

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 2063

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case