Guest Network over VPN

Solved
double_virgule
Getting noticed

Guest Network over VPN

We are currently sending our guest wifi traffic over Cisco Umbrella. This accounts for a huge swath of our overall traffic, as our locations are in shopping malls and other retail centers, so people will connect and use the guest wifi when nearby. We are implementing a splash page and lowering the DHCP lease time for the guest wifi, but I still foresee this being a problem. 

 

Has anyone had any issues with sending only specific VLANs over Cisco Umbrella and dumping the rest directly to the internet? I understand we'd lose the additional security and visibility of Umbrella for this network, but it's already a bunch of noise we can't do much about. We're looking at blacklisting any malware or otherwise compromised devices from our guest wifi, but that's going to take time to develop.

1 Accepted Solution
ChristopherR
Conversationalist

I'm curious, how are you currently sending the traffic to Umbrella? I assume this is just DNS traffic? With this (https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Manually_Integrating_...) integration, you can selectively send traffic from specific SSIDs and have different policies (security, content, logging) for each SSID while still retaining visibility into the SSID/internal IP of each request.

View solution in original post

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal

Have you considered only using Umbrella DNS filtering so all traffic is sent out locally (a compromise)?

double_virgule
Getting noticed

We did, but for our use case some of the traffic needs to be local and some of it needs to be full Umbrella VPN.
ChristopherR
Conversationalist

I'm curious, how are you currently sending the traffic to Umbrella? I assume this is just DNS traffic? With this (https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Manually_Integrating_...) integration, you can selectively send traffic from specific SSIDs and have different policies (security, content, logging) for each SSID while still retaining visibility into the SSID/internal IP of each request.

double_virgule
Getting noticed

Yeah, we discussed with our Cisco contact and they said it's fine to only send some and not all. So we'll probably ship out only the pertinent stuff and leave the rest with local rules. Thanks!

Get notified when there are additional replies to this discussion.