New Access Points and Network Setup

bismarckpalm
Conversationalist

New Access Points and Network Setup

Hello,

I have an MX64 firewall and recently got some new Meraki MR33 access points.  I am trying to configure 1 SSID for Internal and 1 for guest.  My main issue is what seems to be the best / main option for the guest network is NAT mode, which uses IP addresses in the 10.0.0.0/8 range.  Unfortunately, I already use 10.0.0.0 internally. 

My current configuration uses two VLAN’s.  On one, Internal computers get DHCP from a Windows 2012 R2 server.  On the other, guest computers on Wi-Fi get DHCP from the MX64 (10.0.2.0/24).  I almost wish I could keep it… but I already paid for the AP’s.  I also have a new Ubiquiti switch since I am out of space on the existing. 

I think I have a few options and would really appreciate the advice.

  1. Change internal IP addressing, using something like 10.0.2.0 internally and NAT mode for the wireless guest network – I’m afraid this would cause a lot of problems and think I would like to avoid it.
  2. Use NAT mode: Use Meraki DHCP for the guest network and hope I never have conflicts with an IP already distributed and in use internally. The 2012 server continues to be the DHCP server for internal computers.  If I use this option, do you think it is best to plug the AP’s into the MX64 or my switch?
  3. Configure 2 VLANs on my switch - 1 for Wi-Fi guests, 1 for internal - use Layer 3 roaming for both the internal and guest SSID’s. I think this is similar to what I have now?  Do you think I can I configure this to be as secure as the isolated 10.0.0.0/8 offered by the NAT mode?
  4. Move DHCP from Windows 2012 R2 to the MX64 and keep using the 10.0.0.0 addressing for all computers on one VLAN. I kind of like this option because of the ability to use OpenDNS, but will I run into issues with Active Directory?
  5. Other options?

Hopefully that all makes sense.  I would really appreciate any advice.

5 REPLIES 5
NolanHerring
Kind of a big deal


@bismarckpalm wrote:

My main issue is what seems to be the best / main option for the guest network is NAT mode, which uses IP addresses in the 10.0.0.0/8 range.  Unfortunately, I already use 10.0.0.0 internally

 


 

This doesn't matter thankfully.  The NAT mode means that the AP is actually NATing the clients, so the client see's the AP as his gateway/DNS etc. AP will just proxy all the traffic to your MX and send it out to the internet etc.

Nolan Herring | nolanwifi.com
TwitterLinkedIn

Just make sure that the AP's are either using public DNS themselves, or on the guest SSID access control settings, you choose custom DNS and use Google public DNS.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
PhilipDAth
Kind of a big deal

>Configure 2 VLANs on my switch - 1 for Wi-Fi guests, 1 for internal - use Layer 3 roaming for both the internal and guest SSID’s. I think this is similar to what I have now?  Do you think I can I configure this to be as secure as the isolated 10.0.0.0/8 offered by the NAT mode?

 

I would go for two VLANs.  Configure the SSIDs to use bridging, not layer 3 roaming.  Create a group policy on the MX and apply it to the guest VLAN.  In that group policy create firewall rules blocking access to Internal resources.

bismarckpalm
Conversationalist

Thank you for the suggestions!  Any thoughts on #4?  Would it be too much to move the DNS and DHCP to the MX64?

Nash
Kind of a big deal

I prefer to keep DHCP on an AD server when I can, for production vlans. An MX won't let you cancel an existing lease one by one, and that's something I have to do semi-regularly for my clients. 

 

If I've got a separately configured vlan for a guest network, then DHCP goes on the MX and I make sure the firewall rules block access between my production vlan(s) and my guest vlan. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.