VLAN Configuration
Dashboard Location: Security and SD-WAN > Configure > Addressing & VLANs > VLANs
VLAN Management
Section titled “VLAN Management”VLAN configuration in Meraki appliances provides comprehensive network segmentation capabilities including subnet management, DHCP services and advanced networking features. This functionality enables organizations to create secure network boundaries, implement traffic isolation policies, and support complex network architectures while maintaining centralized management and visibility. VLAN configuration is essential for enterprise deployments requiring network segmentation, security isolation, and scalable network design.
Known Limitations:
- When IPv6 is enabled on a VLAN, one cannot configure DHCP on the same VLAN. This is a limitation of the Meraki API with terraform provider. Users must choose between enabling IPv6 or using DHCP in the same VLAN.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”appliance (meraki.domains.organizations.networks)
Section titled “appliance (meraki.domains.organizations.networks)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| vlans | List | [vlans] | No |
vlans (meraki.domains.organizations.networks.appliance)
Section titled “vlans (meraki.domains.organizations.networks.appliance)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | min: 1, max: 127 | No | |
| subnet | String | Regex: ^((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\/([1-9]|[12][0-9]|3[0-2])$ | No | |
| appliance_ip | IP | No | ||
| template_vlan_type | Choice | same, unique | No | |
| cidr | String | Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$ | No | |
| mask | Integer | min: 0, max: 32 | No | |
| ipv6 | Class | [ipv6] | No | |
| dhcp_handling | Choice | Do not respond to DHCP requests, Relay DHCP to another server, Run a DHCP server | No | Run a DHCP server |
| dhcp_lease_time | Choice | 1 day, 1 hour, 1 week, 12 hours, 30 minutes, 4 hours | No | |
| mandatory_dhcp | Boolean | true, false | No | false |
| dhcp_options | List | [dhcp_options] | No | |
| dhcp_boot_options | Boolean | true, false | No | |
| group_policy_name | String | min: 1, max: 127 | No | |
| vlan_id | Any | Integer[min: 1, max: 4094] or String[matches: `(?:[1-9] | [1-9][0-9] | [1-9][0-9]2 |
| vpn_nat_subnet | String | Regex: ^((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\/([1-9]|[12][0-9]|3[0-2])$ | No | |
| dhcp_relay_server_ips | List | IP | No | |
| dhcp_boot_next_server | IP | No | ||
| dhcp_boot_filename | String | min: 1, max: 127 | No | |
| fixed_ip_assignments | List | [fixed_ip_assignments] | No | |
| reserved_ip_ranges | List | [reserved_ip_ranges] | No | |
| dns_nameservers | String | Regex: ^(upstream_dns|google_dns|opendns|custom)$ | No | upstream_dns |
ipv6 (meraki.domains.organizations.networks.appliance.vlans)
Section titled “ipv6 (meraki.domains.organizations.networks.appliance.vlans)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| enabled | Boolean | true, false | No | |
| prefix_assignments | List | [prefix_assignments] | No |
dhcp_options (meraki.domains.organizations.networks.appliance.vlans)
Section titled “dhcp_options (meraki.domains.organizations.networks.appliance.vlans)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| code | String | Regex: ^([2-9]|1[0-9][0-9]?|2[0-9]|2[0-5][0-4]|[3-9][0-9])$ | Yes | |
| type | Choice | hex, integer, ip, text | Yes | |
| value | String | min: 1, max: 127 | Yes |
fixed_ip_assignments (meraki.domains.organizations.networks.appliance.vlans)
Section titled “fixed_ip_assignments (meraki.domains.organizations.networks.appliance.vlans)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | min: 1, max: 127 | Yes | |
| mac | MAC | Yes | ||
| ip | IP | Yes |
reserved_ip_ranges (meraki.domains.organizations.networks.appliance.vlans)
Section titled “reserved_ip_ranges (meraki.domains.organizations.networks.appliance.vlans)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| start | IP | Yes | ||
| end | IP | Yes | ||
| comment | String | min: 1, max: 127 | Yes |
prefix_assignments (meraki.domains.organizations.networks.appliance.vlans.ipv6)
Section titled “prefix_assignments (meraki.domains.organizations.networks.appliance.vlans.ipv6)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| autonomous | Boolean | true, false | No | |
| disabled | Boolean | true, false | Yes | |
| static_prefix | IP | No | ||
| static_appliance_ip6 | IP | No | ||
| origin | Class | [origin] | No |
origin (meraki.domains.organizations.networks.appliance.vlans.ipv6.prefix_assignments)
Section titled “origin (meraki.domains.organizations.networks.appliance.vlans.ipv6.prefix_assignments)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| type | Choice | independent, internet | Yes | |
| interfaces | List | String[min: 1, max: 10] | No |
Examples
Section titled “Examples”Example-1: The example below demonstrates VLANs configuration.
This configuration creates and manages Virtual Local Area Networks (VLANs) to segment network traffic, provide organized IP allocation, and enable DHCP services. The example includes VLAN definitions, subnet assignments, DHCP settings, reserved IP ranges, DHCP options, and DNS configuration for structured network management.
VLAN 10 – “VLAN10”: Subnet: 192.168.10.0/24 with appliance IP 192.168.10.1 as the default gateway. DHCP is enabled with lease time 1 day and mandatory DHCP to prevent static IP assignment. DHCP boot options include PXE boot support (codes 66/67) pointing to tftp.example.com and bootfile. Reserved IP range 192.168.10.40–50 is set aside for printers. DNS is set to Google DNS servers (8.8.8.8 and 8.8.4.4). Note: Multiple dns servers are specified as newline separated string of IP addresses or domain names. In this case, value is defined as “8.8.8.8\n8.8.4.4”. Fixed IP assignments for RFID readers based on mac, to maintain same ip across leases. Optional DHCP relay server is defined as 192.168.10.254.
VLAN 20 – “VLAN20”: Subnet: 192.168.20.0/24 with appliance IP 192.168.20.1. DHCP enabled with lease time 1 day and mandatory DHCP enforcement. DHCP boot options configured identically to VLAN 10 for PXE boot support. Reserved IP range 192.168.20.40–50 for printers. DNS is set to organization DNS servers ns1.example.com and ns2.example.com. Note: Multiple dns servers are specified as newline separated string of IP addresses or domain names. In this case, value is defined as “ns1.example.com\nns2.example.com”. This configuration ensures centralized IP management, prevents unauthorized static IP usage, supports PXE boot for devices requiring network boot, and separates traffic into distinct VLANs for better organization, security, and network efficiency.
VLAN 30 – “VLAN30”: Subnet: 192.168.30.0/24 with appliance IP 192.168.30.1. IPv6 is enabled with two prefix assignments on separate WAN interfaces. The first prefix (2001:430:3c4d:15::/64) is non-autonomous with a static appliance IPv6 address of 2001:430:3c4d:15::1, sourced from the internet via wan1. Non-autonomous means clients must use DHCPv6 for address assignment rather than SLAAC. The second prefix is autonomous (SLAAC-enabled), sourced from the internet via wan2, allowing clients to auto-configure their IPv6 addresses. This prefix is dynamically assigned by the upstream provider. This dual-prefix configuration demonstrates a split-WAN IPv6 design where wan1 provides a managed (DHCPv6) prefix and wan2 provides an auto-configured (SLAAC) prefix, offering both controlled and flexible IPv6 addressing within the same VLAN.
VLAN 40 – “VLAN140”: Subnet: 192.168.40.0/24 with appliance IP 192.168.40.1. IPv6 is enabled with two non-autonomous prefix assignments, both sourced from the internet but on different WAN interfaces. The first prefix (2001:440:3c4d:15::/64) is active (not disabled) with a static appliance IPv6 address of 2001:440:3c4d:15::1, sourced via wan1. Clients on this prefix must use DHCPv6 for address assignment. The second prefix is also non-autonomous, sourced via wan2, but is explicitly disabled. This is useful for pre-staging a prefix configuration that can be activated later without reconfiguration, or for maintaining a backup prefix definition that is not currently in use. This configuration demonstrates a primary/standby IPv6 prefix design where only the wan1 prefix is actively serving clients while the wan2 prefix remains defined but inactive.
VLAN 50 – “VLAN50”: Subnet: 192.168.50.0/24 with appliance IP 192.168.50.1. IPv6 is enabled with a single autonomous (SLAAC-enabled) prefix assignment sourced from the internet via both wan1 and wan2. The autonomous flag allows clients to auto-configure their IPv6 addresses using Stateless Address Autoconfiguration (SLAAC) without requiring a DHCPv6 server. The prefix is dynamically assigned by the upstream provider. By specifying both wan1 and wan2 as origin interfaces, this configuration provides WAN redundancy for IPv6 prefix delegation — if one WAN link fails, the prefix can still be obtained from the other. This configuration demonstrates the simplest IPv6 VLAN setup with SLAAC and dual-WAN resilience, suitable for networks where lightweight auto-configuration and high availability are preferred over centralized DHCPv6 management.
Note: When IPv6 is enabled on a VLAN, prefix_assignments must be defined and should include an entry for every WAN interface supported by the appliance.
meraki: domains: - name: !env domain administrator: name: !env org_admin organizations: - name: !env org networks: - name: !env network_name product_types: - appliance - switch - wireless - camera - sensor - cellularGateway appliance: vlans: - vlan_id: 10 name: "VLAN10" subnet: "192.168.10.0/24" appliance_ip: "192.168.10.1" group_policy_name: "CORP" # Maps to group policy ID for CORP policy dhcp_handling: "Run a DHCP server" dhcp_lease_time: "1 day" dhcp_boot_options: false dhcp_options: - code: "66" type: "text" value: "tftp.example.com" - code: "67" type: "text" value: "bootfile" reserved_ip_ranges: - start: "192.168.10.40" end: "192.168.10.50" comment: "Reserved for printers" fixed_ip_assignments: - name: "RFID Reader 1" ip: "192.168.10.111" mac: "00:11:22:33:44:55" - name: "RFID Reader 2" ip: "192.168.10.112" mac: "00:11:22:33:44:56" dns_nameservers: "8.8.8.8\n8.8.4.4" # vpn_nat_subnet: "192.168.10.0/24" mandatory_dhcp: true - vlan_id: 20 name: "VLAN20" subnet: "192.168.20.0/24" appliance_ip: "192.168.20.1" group_policy_name: "BMS" # Maps to group policy ID for BMS policy dhcp_handling: "Relay DHCP to another server" dhcp_relay_server_ips: ["192.168.10.2", "192.168.10.3"] # vpn_nat_subnet: "192.168.20.0/24" mandatory_dhcp: true - vlan_id: 30 name: "VLAN30" subnet: "192.168.30.0/24" appliance_ip: "192.168.30.1" ipv6: enabled: true prefix_assignments: - autonomous: false disabled: false static_prefix: "2001:430:3c4d:15::/64" static_appliance_ip6: "2001:430:3c4d:15::1" origin: type: "internet" interfaces: - "wan1" - autonomous: true disabled: false origin: type: "internet" interfaces: - "wan2" - vlan_id: 40 name: "VLAN40" subnet: "192.168.40.0/24" appliance_ip: "192.168.40.1" ipv6: enabled: true prefix_assignments: - autonomous: false disabled: false static_prefix: "2001:440:3c4d:15::/64" static_appliance_ip6: "2001:440:3c4d:15::1" origin: type: "internet" interfaces: - "wan1" - autonomous: false disabled: true origin: type: "internet" interfaces: - "wan2" - vlan_id: 50 name: "VLAN50" subnet: "192.168.50.0/24" appliance_ip: "192.168.50.1" ipv6: enabled: true prefix_assignments: - autonomous: true disabled: false origin: type: "internet" interfaces: - "wan1" - "wan2"