Giving guest users access to Sonos on corporate AV LAN

sfsomeone
New here

Giving guest users access to Sonos on corporate AV LAN

Looking to get our guest and BYOD users access over wireless to the corporate AV VLAN.

 

Our guest and BYOD users are on SSIDs using NAT mode (Clients receive IP addresses in an isolated 10.0.0.0/8 network.) Our corporate AV VLAN contains our Sonos speakers. This is on a VLAN using a different IP scheme (172.X.X.X).

 

Within the firewall and traffic shaping rules for the SSIDs, what's the ideal way to allow those devices access? I've attached a screenshot of what it's at. I realize it is deny, but what would be the correct way to allow traffic from 10.0.0.0/8 to 172.X.X.X/24 for our Sonos to be reachable for employees to access?

 

We want to keep them from accessing anything but that AV VLAN.Screen Shot 2019-08-01 at 4.06.27 PM.png

3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal

1.PNG

BrechtSchamp
Kind of a big deal

The Sonos app relies on multicasts that are (by default) only casted onto the local subnet they're on. Opening up the firewall is not enough. You'll need to have some kind of proxy to copy over these multicasts between subnets. The bonjour forwarding functionality may be of help but I'm not sure. I really should take some time to experiment with this as I have Sonos at home but I haven't gotten around to it.

 

More info about Bonjour Forwarding on Meraki:

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/Bonjour_Forwarding

mattia
Getting noticed

had the same planned here but didn't manage to have it working in a safe and easy wasy.

we have BYOD/Guest wifi and corporate wifi.

Sonos should be reachable by both on a dedicated VLAN....

eventually used a spare Airport Extreme to have a dedicated wifi for the sonos and a controller iPad.

employees can connect to this wifi if they want to control the music.

the Airport is connected to Meraki where it's on a dedicated isolated vlan

It just wasn't worth the time playing with firewall rules and multicast proxies :shrug: it felt like leaving doors open for attackers 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.