Understanding and Configuring Management VLANs on Cisco Meraki Access Points
The purpose of this article is to explain the configuration and use of Management VLANs on Cisco Meraki MR access points.
Introduction
MR access points must be connected to the network, both for client traffic and for their own management traffic. Specifically, the traffic that any Cisco Meraki device will send upstream to the cloud controller. When you have a network with multiple VLANs, it is important to ensure that the MR's traffic will be put on the appropriate VLAN, typically a dedicated management VLAN for cloud-bound traffic.
For more information on VLANs in general, please read the following article:
Tagging a Management VLAN on a Cisco Meraki Device
On a gateway access point, a VLAN tag can be assigned to the device for its own management traffic. This can either be done in Dashboard under Wireless > Monitor > Access Points > (AP's name) > click the Edit icon or on the Local Status Page of the device.
This tells the device to tag that specific VLAN for management and cloud traffic in order for it to be correctly passed on the LAN.
Note: Tagging egress per SSID on an Access Point requires that the AP be plugged into a trunk port. To see an article describing more about IEEE 802.1Q and VLAN tagging, please refer to our documentation on Meraki Gateway Access Points, IEEE 802.1Q, and VLAN Tagging
Note: If a native VLAN is configured on an upstream 802.1Q trunk port, then ensure the access point's VLAN tag is not the same ID as the native VLAN.
Specifying the same VLAN ID would tell the access point to tag its management traffic with that ID, which would likely cause it to be dropped by the upstream trunk port.
Untagged Traffic on a Cisco Meraki Device's Management VLAN
When an MR access point is connected to an access switch port and not a trunk switch port, then you do not need to specify a VLAN when using DHCP or assigning a static IP address. The AP must use an IP address within the subnet of that VLAN, and the VLAN field needs to be left blank.
Specifying the VLAN ID would tell the access point to tag its management traffic with that ID, which would likely cause it to be dropped by the access switch port.
Note: Meraki management traffic destined for the Cloud is forwarded onto the wired network untagged. On an 802.1Q trunk port, untagged traffic is placed on the native VLAN. The native VLAN should be the same for all interconnected switches and routers on the LAN and have a routing interface with a path to the Internet.
Note: If SSIDs are not tagging specific VLANs, then the Management VLAN will also be used for client traffic.