Skip to main content
Cisco Meraki

Named VLAN Profiles

Named VLAN profiles is currently in closed beta testing. Please reach out to Meraki to support to have it enabled. 

Overview

Named VLAN profiles work along with 802.1X RADIUS authentication to assign authenticated users and devices to specific VLANs according to a VLAN name rather than a integer number. This can reduce the configuration burden on the RADIUS server by allowing fewer authentication policies to be used for multiple sites which may use different VLAN ID numbers for the same functional group of users and devices. For example, sites A and B may both have a "guest" VLAN, which is VLAN ID number 100 at site A but ID number 99 at site B. Without named VLAN profiles, a separate RADIUS policy would normally be created on the RADIUS server for each of site A and site B. With named VLAN profiles, a single policy can be created on the RADIUS server which sends the VLAN name "guest" to the switches at each site, which then can map the "guest" VLAN name to the appropriate VLAN ID number. 

Requirements, guidelines, and limitations


Named VLAN profiles is supported on the following platforms and firmware versions:

MS Switch Family

MS Switch Model Minimum Firmware Required
  MS120 MS 15
MS100 Series MS125 MS 15
  MS210 MS 15
MS200 Series MS225 MS 15
  MS250 MS 15
  MS350 MS 15
MS300 Series MS355 MS 15
  MS390 MS 15

How it works

Example Scenario:

Named VLAN Profiles Topology.png


In this scenario, the network is divided into multiple floors, and each floor has different VLAN assignments for the same functional groups (workstation, voice, and IoT devices). Rather than configuring an authentication policy for each floor on the RADIUS server, a single policy can be used that will return the VLAN names to the switches that are acting as the 802.1X authenticator. The switches will then use the named VLAN profile configuration in the Meraki dashboard to map the VLAN names to the appropriate VLAN ID number for each floor. 

In order to use named VLAN profiles, an access policy must be first configured and assigned to switchports to authenticate users and devices connecting to those ports. For information on configuring and assigning access policies, see MS Switch Access Policies (802.1X).

The RADIUS server must be configured to send three attributes to the switch as part of the RADIUS Access-Accept message sent to the switch as a result of a successful 802.1X authentication. These attributes tell the switch which VLAN name to assign to the session for that user or device. The required attributes are: 

[64] Tunnel-type = VLAN

[65] Tunnel-Medium-Type = 802

[81] Tunnel-Private-Group-ID = <vlan name>

These are the same three attributes used when assigning a VLAN ID number to an 802.1X session for a user or device. The difference when using named VLAN profiles is that the RADIUS server is configured to send a VLAN name rather than the VLAN ID number. Here's an example of how this would be configured using a Cisco Identity Services Engine:

ISE Advanced Attributes.png

In this example, the NPS server will return the "WORKSTATION" value to the MS switch, which will allow the switch to look for a VLAN ID number mapping matching that value. For more information refer to configuring 802.1X access policies on MS Switches using Windows 2008 NPS.

The MS switch will look for a VLAN ID number mapping based on the named VLAN profile applied to the switch that authenticates the 802.1X session. Here, the "WORKSTATION" value could map to VLAN ID 201, 301, or 401 depending on which profile the switch has applied:

Multiple VLAN Profiles.png

 

If the RADIUS server returns a name value that is not defined in the VLAN profiles, the switchport will fail-closed and the client device will not be able to access the network. If the RADIUS server returns a VLAN ID number, the switchport will be authorized as an access port in that VLAN. 

Also, when using multi-auth mode, multiple devices may be connected to each port, but each connected device is required to authenticate. After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information or be denied access to the port. Only one client is supported on the voice VLAN. Guest VLANs are not supported in this mode.

There is one exception to this behaviour that is specific to the MS390. When multiple hosts authenticate to a single port on the MS390, each host may be assigned a unique VLAN to their session. For example, the first host to authenticate on a switch port might be assigned to VLAN 3, and a subsequently authenticated host may be assigned to VLAN 5.

 

Switch Stacks

Named VLAN profiles are applied to standalone switches or entire switch stacks. You cannot apply different VLAN profiles to switch members of the same stack (all switches in the stack use the same profile).

Default Profile

When named VLAN profiles are enabled, a default profile is automatically applied to all switches and switch stacks in the network. If a named VLAN profile is not explicitly assigned to a switch or stack by an administrator, it will use the default profile. The default profile is indicated with the DEFAULT highlight in green on the VLAN profiles tab and the (default) label on the profile assignment tab. An administrator can configure another profile to be the default as well as editing the built-in profile.

When you remove a profile assignment from a switch or stack, it will revert to using the default profile for the network.

Configuring Named VLAN Profiles

Navigate to Network-wide > VLAN Profiles. This will bring up the profile assignment page

uncheckd profile assignment.png

Here you can see which profiles are assigned to each switch or switch stack. In the example, each device is currently assigned to the default profile.

Enabling and Disabling Named VLAN profiles

Named VLAN profiles can be enabled or disabled for each network. When VLAN profiles are disabled you can still configure and assign profiles, but they won't take effect until you enable named VLAN profiles for the network. This also allows the feature to be temporarily removed from the switches and switch stacks without losing the existing configurations in dashboard. 

Navigate to Network-wide > VLAN Profiles and choose the Settings tab choose to enable or disable named VLAN. The change will be saved immediately.

NVP enable.png

This can be helpful when testing and troubleshooting named VLAN profiles.

Managing named VLAN profiles

Click on the VLAN profiles tab. Here you can add, delete, copy, and edit named VLAN profiles. Note the Default Profile which is applied to all switches by default.

NVP VLAN Profile Tab-HiRes.png

To create or edit a profile, choose the appropriate option from "Add New Profile" or the copy/edit buttons of the appropriate profile. Give the profile a unique name, and optionally set it as the default profile for the network.

NVP Edit Profile.png

Next, create mappings for VLAN names to VLAN IDs. The VLAN name entered is the value that must be sent by the RADIUS server to the switch in order to map to that VLAN ID. When finished. click "Save".

Each profile can include up to 1024 VLAN name to ID mappings, and each VLAN name can be up to 32 characters long. The VLAN profile name itself has a 255 character limit.

You can also map more than one VLAN ID number to a VLAN name using commas or hyphens to separate non-contiguous and contiguous ranges (e.g. 100,200,120-130)

Changing the default profile

To set a profile as the default profile for the network, check the "set profile as default" box on the profile edit screen, review the confirmation, and click "Yes" to complete the change.

NVP Change default profile.png

Remember, any switch or stack that doesn't have a profile assigned will use the default profile. Changing the default profile will apply the new default profile to any switches and stacks that do not otherwise have a profile assigned. This is different than a device without a profile assignment or removing the profile assignment from a device:

  • Option 1: Specifically assign a profile to a switch or stack. The device will continue to use this profile until you assign a different one.
  • Option 2: Do not assign a profile, or remove the profile assignment from the switch or stack. The device will use whichever profile is configured as the default.

Assigning named VLAN profiles

On the profile assignment tab, select the switch(es) or stack(s) to assign a profile to, then click the "Assign profile" button

profile assign.png

Choose the profile to apply to the switches and/or stacks by clicking the "select" button, then "review changes"

NVP Edit assignment.png

Review and choose "Apply changes" to apply the profiles to the selected devices

review assignment.png

Removing profile assignments

You can remove a named VLAN profile assignment from a switch or stack which will reapply the default profile to that device. Devices without a specific profile assignment use the default profile, and if the default profile is changed to a different profile, all of the devices without a specific assignment will automatically be assigned to the new default profile. 

You can also assign a profile that is marked as the default to a switch or stack. In that case, the profile is specifically assigned to the device and will not be changed if a different profile is configured to be default. This is different than a device without a profile assignment or removing the profile assignment from a device:

  • Option 1: Specifically assign a profile to a switch or stack. The device will continue to use this profile until you assign a different one.
  • Option 2: Either do not assign a profile, or remove the profile assignment from the switch or stack. The device will use whichever profile is configured as the default.

To remove the assigned profile, select the intended devices and click "Remove profile assignment" on the Profile assignment tab

assignment complete.png 

Verifying named VLAN profiles

You can verify the named VLAN profile applied to a switch or stack from the Monitor > Switches page. If the "VLAN profile" column isn't visible, click the wrench icon in the top right corner of the switch list table and enable the column.

NVP Switch table column.png

On the switch details page, the VLAN profile is listed in the left hand column below the config status

switch details VLAN profile.png

  • Was this article helpful?