Home > Security Appliances > Networks and Routing > Configuring VLANs on the MX Security Appliance

Configuring VLANs on the MX Security Appliance

As a network grows to include users in multiple physical locations it becomes necessary to segment the network into various virtual networks or VLANs. This article describes how to configure VLANs on the MX Security Appliance.

Enable VLANs on the Dashboard

25ee28c9-25c8-4262-8b1d-27d3efefe92a

VLANs are disabled by default on the MX. They can be enabled from Configure > Addressing & VLANs > VLANs by selecting Enabled' from the VLANs drop down.

 

Note: The MX IP is the local IP address of the MX when VLANs are disabled, and in many cases it can serve as the default gateway for local devices.

Configure VLANs

a29cbbba-3cf3-498a-815d-9cc53b31380b

After VLANs have been enabled you can add additional VLANs by clicking 'Add a VLAN'.

In this example, the MX has three VLANs:

  • VLAN 1: 192.168.1.0/24
  • VLAN 2: 192.168.2.0/24
  • VLAN 3: 192.168.3.0/24

The Name is a description of the VLAN, the VLAN ID is the VLAN number, the Subnet is the network expressed using CIDR notation, and the Appliance LAN IP is the local MX VLAN interface IP. A VLAN can be removed from the Actions column. Click here for more detailed information about settings on Addressing & VLANs. 

a9c22189-92f0-400a-99b9-a21ba9f5bddc

Configure LAN Ports

Next, the uplink ports to our switches will be configured as a trunk port to carry the VLANs that were configured in the previous step. Changes can be made to the MX LAN ports under Per-port VLAN configuration by selecting the check box beside the port number or by selecting multiple ports and clicking the Edit button.  

479c84f7-4dcd-4029-8539-88861caf5709

 

The Type determines if the LAN port is an access or trunk port. When connecting the MX to a switch that will carry multiple VLANs select trunk from the drop down. Traffic without a 802.1Q tag will be dropped by default unless a native VLAN is defined from the Native VLAN field.  You can specify specific VLANs that the trunk port will allow from Allowed VLANs or choose to allow all VLANs to pass on the link. Click here for more information about per-port VLAN configuration options.

f40c64ed-40bb-4276-be35-c1a0212e1f63

Other Considerations

In some cases it is necessary to restrict access between different VLANs. Please refer to the following knowledge base document which describes how to use outbound firewall rules to restrict traffic between VLANs.

You must to post a comment.
Last modified
16:16, 18 Feb 2016

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1429

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community