Guest Network - Best Practice Designs

AshMead
Getting noticed

Guest Network - Best Practice Designs

I have a customer who is using a separate MX for their guest network.

 

Is this best practice? 

 

They have two MX (MX84 and MX64) in two separate locations running in passthrough mode. All wireless traffic passes through the MX84 except for the guest traffic which is tunnelled to a MX64 acting as a concentrator.

 

Is there a better way of achieving this?

 

 

  

5 Replies 5
Nash
Kind of a big deal

What exactly is their goal with this wireless setup?

What manufacturer are their APs? My answer changes if they're Meraki or not.

AshMead
Getting noticed

The APs are all Meraki, a mixture of MR33 and MR42.

 

The goal is to keep the guest traffic separate from the rest of the corporate traffic. The guest traffic is all tunnelled to one MX device. setup as a wireless concentrator.

 

Would the MXs need to be in Routed Mode in order to define traffic separation rules?

 

 

Nash
Kind of a big deal

Okay, the way you are doing it is very much not the way we do it. By the time the traffic gets to that second MX, it's still gone across the same switches etc.

 

Why not use the L3 firewall baked into the MR to separate the guest vlan from your LAN? This is the basic method of blocking guest traffic from your local LANs. https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/MR_Firewall_Rules

 

You can apply a different group policy to your guest vlan, to ensure that content filtering/etc are set the way you want: https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applyin...

 

 

AshMead
Getting noticed

Thanks Nash. This does look simpler!

AshMead
Getting noticed

 

Am I right in thinking that they should have one MX set up as the one-arm concentrator for access to their data center then another MX at each branch site to control access?

 

Is this the current best practice?

 

Thanks

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels