Introduction and Challenge with Meraki MX using Cisco 5508 Local Controller for Guest WI-FI
Our organization has been in the process of implementing Meraki MX, MR, and MS platforms to our Enterprise remote locations for the past year and a half and has been a very positive experience. Meraki delivers, hands down, in an environment where we can manage our networks more efficiently as we wear a lot of different hats. Hello everyone.
One of the challenges I'm facing is a hybrid integration of an MX firewall (SDWAN) and Guest WI-FI using a Cisco 5508 local controller via ISE splash page. I realize the best solution is to replace each site with all Meraki, however budgeting and immediate needs has set the direction.
Used to be: iWan ISR4430 > Cisco 3850 switch > 5508 controller > 3702 AP > Guest SSID > ISE Guest Platform
(the ISR 4430 handled the NAT's and firewalling to ISE for the Guest VLAN)
Now is: MX100 firewall > MS250 switch > 5508 controller > 3702 AP > Guest SSID > ISE Guest Platform
(ISE is not responding back)
Our Goal: is to standardize the same 192.168.X.X subnet for Guest traffic at all locations, but we're missing something whether it's NAT or if we need to now involve rules for the Enterprise Cisco firewalls. or maybe a Wireless Concentrator? Our ISE for Guest is not accessible publicly.
I'm looking for others who have a similar scenario they've faced, thank you.
We have Cisco APs, local/centralized controllers, but guess SSID tunnels back to guest wlc in a dmz. Works fine and it doesnt matter if it's a MPLS site or a Meraki based site, centralized wlc or flexconnect. Guest SSID is all fine and dandy.
We did have one little issue at one site, but it was a mtu issue when we tried to use a GRE tunnel over the Meraki connection - haven't messed with gre since. Otherwise, zero issues.
Thank you gentlemen for your replies and sorry I slept on this so long. The issue is resolved. On my MX 100, I went into 'Security & SDWAN' > 'Access Control' > 'Network Access' and set the Guest VLAN to None. Access Control was not necessary as the WLC was already sending the access/splash requests to ISE.