Meraki

Community

Guest Net on specific public IP

DrRasmussen
Here to help
‎Mar 9 2021 4:59 AM
‎Mar 9 2021 4:59 AM

Guest Net on specific public IP

Hi I have a MX84

I have one public IP - lets say x.x.x.1, which I use for internet traffic.

I have a Guest WIFI VLAN - I need to use another public IP for guest traffic - lets say x.x.x.2

 

How can this be done in Meraki MX devices?

 

0 Kudos
10 Replies 10
DarrenOC
Kind of a big deal
Kind of a big deal
‎Mar 9 2021 5:07 AM
‎Mar 9 2021 5:07 AM

Hi @DrRasmussen 

 

look at the flow preference feature 

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Load_Balancing_and_Flow_Preferen...

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
DrRasmussen
Here to help
‎Mar 9 2021 6:16 AM
‎Mar 9 2021 6:16 AM

Hi @DarrenOC 

 

First of all thank you for helping me here.

 

As I understand WAN1 and WAN2 in the same subnet.

 

WAN1: A.B.C.1 Gateway A.B.C.X

WAN2: A.B.C.2 Gateway A.B.C.X

 

Which means that the two WAN's are using same gateway?

 

Control of which WAN link to be used for guest net is done via SD-WAN & Traffic shaping?

 

 

 

 

 

 

0 Kudos
In response to DrRasmussen
GreenMan
Meraki Employee
Meraki Employee
‎Mar 9 2021 6:57 AM
‎Mar 9 2021 6:57 AM

Although you could connect WAN1 and WAN2 of your MX via the same uplink - in which case they would each have an IP in the same subnet - you would normally connect different links to each of WAN1 and WAN2.   They would then have their IPs in different subnets.   In the Flow preferences for Internet traffic you would add a preference, for the source 'your Guest VLAN', to route that traffic via either WAN1 or WAN2.  That traffic will be NAT'ed behind the IP address of the chosen interface.

0 Kudos
In response to GreenMan
DrRasmussen
Here to help
‎Mar 9 2021 12:02 PM
‎Mar 9 2021 12:02 PM

Hi @GreenMan 

 

What do you mean with "Although you could connect WAN1 and WAN2 of your MX via the same uplink"?

Can I use the same physical interface?

Isn't there a really simple solution here. I don't think I'm the one and only looking into this kind of problems.

 

 

/Michael

0 Kudos
In response to DrRasmussen
DarrenOC
Kind of a big deal
Kind of a big deal
‎Mar 9 2021 12:36 PM
‎Mar 9 2021 12:36 PM

Hi @DrRasmussen , you generally don’t see WAN1 and WAN2 using IP addresses in the same subnet.  I wouldn’t class that as a resilient setup.  I think what @GreenMan is saying is that it’s possible however to do that.


Have you taken a read through the flow preferences document?  You should be able to identify your source IP subnet ie guest and route that out via WAN1 or WAN2.

 

Give it a try and test 

 

A5499CF5-62F9-43AA-97FD-36D7D5BB3A03.png

 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
DrRasmussen
Here to help
‎Mar 9 2021 12:45 PM
‎Mar 9 2021 12:45 PM

Thank you all.

I'll look into it.

 

I rise another questieon. It is my customer who is asking for a setup like this, where guest traffic have a another public source IP address.He said it's for securityr reasons, not to let the public IP be "too public"

 

Howerever: Is there a best year 2021 practice. Is it nescasarry to seperate guest traffic to another public IP or is it old school?

The MX is licenced for Advanced Security.

0 Kudos
In response to DrRasmussen
DarrenOC
Kind of a big deal
Kind of a big deal
‎Mar 10 2021 3:19 AM
‎Mar 10 2021 3:19 AM

Hi @DrRasmussen 

 

Whilst upgrading a lab MX to 16.4 I stumbled across this - sourced based routing which is available in MX's running 15.4 and higher.  So you could specify your source subnet/vlan and route that out of your next chosen hop - WAN1 or WAN2

 

https://documentation.meraki.com/MX/Networks_and_Routing/Source_Based_Default_Routing

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
DrRasmussen
Here to help
‎Mar 10 2021 6:32 AM
‎Mar 10 2021 6:32 AM

Great - thank you. I have just upgraded to version 15.42.

I can't find any configuration examples - and unfortunately I have no lab Meraki device with 2 WAN's her.

 

My installation is 4 hours drive away - so I have do no configuration mistakes.

 

Is it possible to place WAN1 and WAN2 in same subnet from ISP - or shall the ISP devide the subnet into two?

 

Br,

Michael

0 Kudos
In response to DrRasmussen
DarrenOC
Kind of a big deal
Kind of a big deal
‎Mar 10 2021 6:40 AM
‎Mar 10 2021 6:40 AM

Hi Michael,

 

Yes, you can put both WAN connections into the same subnet if you have enough public IP's to do so.  Most deployments however would see two separate ISP's for resiliency.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
‎Mar 10 2021 7:52 AM
‎Mar 10 2021 7:52 AM

Want some more "dirty workaround" options? 😉

If you can make your client-traffic to come from the same IP (from a PAT-router, AP with Meraki-DHCP, Proxy or something like that) you could configure a 1:1 NAT for this IP.

 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.