Meraki

Community

Client Isolation on MX67W Guest SSID

Solved
LeopoldN
Conversationalist
a month ago
a month ago

Client Isolation on MX67W Guest SSID

Hi everyone,

 

I was checking out the internal wireless settings on a MX67W and found that the option to use Meraki NAT with isolated 10.0.0.0/8 networks is not available. And since the firewall rules only apply up from layer 3 and not in the layer 2 VLAN I currently have no idea how to isolate clients from each other on a guest SSID.
Is there some way to still achieve that requirement or do I actually need standalone APs for that?

 

Best Regards

Leopold

Labels:
0 Kudos
1 Accepted Solution
alemabrahao
Kind of a big deal
a month ago
a month ago

MX does not support this functionality, only Meraki APs.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

5 Replies 5
alemabrahao
Kind of a big deal
a month ago
a month ago

MX does not support this functionality, only Meraki APs.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Brash
Kind of a big deal
Kind of a big deal
a month ago
a month ago

It's possible that if you apply a group policy to the VLAN with deny rules for RFC 1918 addresses, it may prevent clients from communicating with each-other as they all connect directly to the MX for L2 and L3 communication.

You would need to test to validate as I personally don't manage any networks using the MX wireless.

In response to Brash
LeopoldN
Conversationalist
a month ago
a month ago

I had hoped group policy was an option but I didn't try using it since the only option is to overrides the existing L3 firewall rules and I had already tried using a deny rule for the guest network on the firewall tab.
It would surprise me if a group policy firewall rule has a different functionality than configuring firewall rules on the firewall tab.

But thank you for the suggestion.

0 Kudos
IvanJukic
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
4 weeks ago
4 weeks ago

Hi @LeopoldN ,

You can certainly have isolated clients on a Guest SSID on a MX67W. The way to do it would be to use VLANs. Basically, create a guest VLAN, then Tag that Guest SSID with the new Guest VLAN. See my post below to a thread earlier this year asking a similar isolation question.

 

https://community.meraki.com/t5/Wireless/Anyway-to-set-firewall-rules-for-specific-SSIDs/m-p/268266#...

 

 

If you have further quetions, let me know.

 


Cheers,

Ivan Jukić,
Meraki APJC

If you found this post helpful, please give it kudos. If it solved your problem, click "accept as solution" so that others can benefit from it.
In response to IvanJukic
LeopoldN
Conversationalist
4 weeks ago
4 weeks ago

Thank you for the suggestion but I am not trying to isolate the guests from the rest of the network but from each other. I already use a VLAN for the SSID and was just dissapointed to find Meraki NAT (with an isolated 10.0.0.0/8 network for each client), that you can use on APs, is not available for MX.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.