I have a customer who is using a separate MX for their guest network.
Is this best practice?
They have two MX (MX84 and MX64) in two separate locations running in passthrough mode. All wireless traffic passes through the MX84 except for the guest traffic which is tunnelled to a MX64 acting as a concentrator.
Is there a better way of achieving this?
What exactly is their goal with this wireless setup?
What manufacturer are their APs? My answer changes if they're Meraki or not.
The APs are all Meraki, a mixture of MR33 and MR42.
The goal is to keep the guest traffic separate from the rest of the corporate traffic. The guest traffic is all tunnelled to one MX device. setup as a wireless concentrator.
Would the MXs need to be in Routed Mode in order to define traffic separation rules?
Okay, the way you are doing it is very much not the way we do it. By the time the traffic gets to that second MX, it's still gone across the same switches etc.
Why not use the L3 firewall baked into the MR to separate the guest vlan from your LAN? This is the basic method of blocking guest traffic from your local LANs. https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/MR_Firewall_Rules
You can apply a different group policy to your guest vlan, to ensure that content filtering/etc are set the way you want: https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applyin...
Am I right in thinking that they should have one MX set up as the one-arm concentrator for access to their data center then another MX at each branch site to control access?
Is this the current best practice?
Thanks