MR32 AP - Support for segmentation

dgaikwad
New here

MR32 AP - Support for segmentation

Hi Team,

 

There is a requirement to add segmentation and we are having MR32 AP running Current version: MR 26.8.2.

What would be requirements to get segmentation started on this model of AP?

Is there going to be a new hardware requirement? Licenses?

 

Thank you,

6 Replies 6
KarstenI
Kind of a big deal
Kind of a big deal

The only requirement is a clever SSID-design. But that depends on your business and security-requirements.

The basic segmentation is to put different users into different VLANs. This can easily be done with 802.1X where the RADIUS server assigned the VLAN for the user. Additional "segmentation" can be done by assigning firewall rules to groups of users.

Please describe exactly what your environment has to support.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
dgaikwad
New here

The segmentation requirement was based on the SGTs.

Further it seems that to accomplish this, the current MR 32 needs to be upgraded to version 27, but its not supported.

Secondly, additional license needs to be procured to accomplish this requirement. 

 

KarstenI
Kind of a big deal
Kind of a big deal

And for SGTs you need switches that support that, these are only the beloved MS390 in the Meraki portfolio. Had been easier if you had directly mentioned that you are talking about SGT ...

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
dgaikwad
New here

What if there are some Cisco 3750 switches and connect APs to one of these, would then the SGTs work?

Or I guess its as per design that the SGTs will only be supported using MS90 switches while APs are hooked to it.

KarstenI
Kind of a big deal
Kind of a big deal

You can integrate other TrustSec capable devices into the environment, but it will be much more complex. And if I remember right, the Catalyst 3750 is not SGT capable. For your design you have to distinguish Trustsec classification which is done on the Network access device and Trustsec transport which is done in the rest of the infrastructure.

If you have a non-Meraki device for classification, then you need the Cisco ISE to do this job. If you have MR and or MS390 on the Edge, the Meraki native solution can do it. But after this classification for the end-device and/or end-user, the traffic has to be tagged and transported throughout the network. for that you need switches and devices that can process this additional field in the frame header. For me, Trustsec on the Meraki Platform is not the way to go as I do not want to have all the struggle with the MS390.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
DarrenOC
Kind of a big deal
Kind of a big deal

As @KarstenI states done further details around the business requirement would help to define the technical solution here.

 

What’s downstream of the MR’s?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Get notified when there are additional replies to this discussion.