Block Guest SSID From Accessing LAN

SOLVED
BHerring
Conversationalist

Block Guest SSID From Accessing LAN

I am very new to Meraki, so forgive my ignorance. I am trying to set up a new MX250 and MR33 combination here at a new office space. I want to allow our "corporate" SSID to access things on the LAN like printers and such, but I don't want anyone on our "guest" SSID to be able to access these things. Going through the documentation, I am only finding how to allow WLAN and LAN to communicate, but nothing on how to exclude anything. Any advice?

1 ACCEPTED SOLUTION
Bruce
Kind of a big deal

The MR access points have an in-built firewall, so the easiest way is to make sure that on the firewall for the “guest” SSID rules you have a rule that blocks traffic to all your corporate IP addresses.

 

From memory the default configuration for the SSID firewall is to deny all traffic to the private IP address spaces (I.e. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), so if your corporate network is in this address space it’s likely the default settings will prevent the “guest” SSID connecting to the corporate network (and hence why all the documents describe enabling it).

 

EDIT: Just checked a few and the default rule seems to be to “Allow” Any to the Local LAN. Just swap this to Deny Any to Local LAN and this should be what you need for the “guest” SSID. (Local LAN is the private address space).

View solution in original post

2 REPLIES 2
Bruce
Kind of a big deal

The MR access points have an in-built firewall, so the easiest way is to make sure that on the firewall for the “guest” SSID rules you have a rule that blocks traffic to all your corporate IP addresses.

 

From memory the default configuration for the SSID firewall is to deny all traffic to the private IP address spaces (I.e. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), so if your corporate network is in this address space it’s likely the default settings will prevent the “guest” SSID connecting to the corporate network (and hence why all the documents describe enabling it).

 

EDIT: Just checked a few and the default rule seems to be to “Allow” Any to the Local LAN. Just swap this to Deny Any to Local LAN and this should be what you need for the “guest” SSID. (Local LAN is the private address space).

BHerring
Conversationalist

Thank you! Meraki makes this much easier than I expected. Once you get to where you need to be, it's so much easier than the other devices I'm used to.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels