Investigating activity on Guest SSID

SOLVED
MarshMadness
Here to help

Investigating activity on Guest SSID

We have an MX84 with Advanced Security and a variety of MR's connected by Aruba PoE switches

  1. Currently set up as a flat network, just about done VLAN'ing segmentation for security reasons primarily (cutover in next couple of weeks)
  2. Mixed bag of Windows 10 and Chromebook for LAN and Guest network is obviously diverse in type
  3. 3 SSIDs - Faculty (LAN), Guests and Student (both using MR DHCP)
    1. LAN DHCP is currently Active Directory, about to move to MX VLAN DHCP (minimal internal DNS needs any longer, so DC is going away)
  4. Tracking clients by IP
  5. We are filtering on numerous content categorizations at the MX
  6. We do not have any specific filtering done on the MR's, relying only on the MX
    1. Is this the proper approach or should additional config be done on MR's?
  7. When i see blocks in the event logs based on content filtering for devices on the Guest network, i only see the IP of the MR the client is attached to, no info about the client
    1. What can be done to investigate and identify the offending client(s)?
    2. Would syslog be helpful or necessary?
    3. MR's dont seem to provide any correlating events or am i missing something?
    4. Are there adjustable logging levels that might provide more detail?

Thank you in advance for any help!

 

 

1 ACCEPTED SOLUTION
MerakiDave
Meraki Employee
Meraki Employee

Leveraging NAT mode on the APs just to get the content filtering at the edge may not be the best option here.  Sounds like you might want to approach this with configuring a Guest VLAN on the MX, and then run the Guest SSID in Bridge mode and tag it to the Guest VLAN.  That would avoid having every AP become the NAT boundary and you'll be bridging the guest traffic to the guest VLAN, you can simply track by MAC address and have full visibility down to each client (versus the management IP of each AP) and a more meaningful set of events and reports on the MX.  And you still have all of the Adv Sec features on the MX, and you also would still have firewall and traffic shaping at the edge on the APs if you wanted to, just not the content filtering, but the MX is better at that anyway.  Probably no need to syslog at that point unless you had some other requirement to do so, you can syslog flows and URLs but that's really chatty so plan to have some 3rd party syslog parsing/reporting tool if doing that to make it useful.  

View solution in original post

6 REPLIES 6
MerakiDave
Meraki Employee
Meraki Employee

Leveraging NAT mode on the APs just to get the content filtering at the edge may not be the best option here.  Sounds like you might want to approach this with configuring a Guest VLAN on the MX, and then run the Guest SSID in Bridge mode and tag it to the Guest VLAN.  That would avoid having every AP become the NAT boundary and you'll be bridging the guest traffic to the guest VLAN, you can simply track by MAC address and have full visibility down to each client (versus the management IP of each AP) and a more meaningful set of events and reports on the MX.  And you still have all of the Adv Sec features on the MX, and you also would still have firewall and traffic shaping at the edge on the APs if you wanted to, just not the content filtering, but the MX is better at that anyway.  Probably no need to syslog at that point unless you had some other requirement to do so, you can syslog flows and URLs but that's really chatty so plan to have some 3rd party syslog parsing/reporting tool if doing that to make it useful.  

What @MerakiDave said

NAT mode is great for things like coffee shops or if your in a tight spot and need to spin something up quick, but for enterprise its not good for the reasons you just described, and the wireless impact it has on roaming. Anytime a client moves from one AP to another its a hard roam so things like real-time audio/video chats will break and have to reconnect.
Nolan Herring | nolanwifi.com
TwitterLinkedIn

Thanks @NolanHerring for the extra input!  @MarshMadness The other thing I should have mentioned, is to note that since it's a guest SSID, if running in Bridge mode, you can still enforce L2 isolation (which is the default for NAT mode SSIDs but not the default for Bridge mode), so be sure to do that for the guests.  Hope that helped!

 

Thank you @MerakiDave and @NolanHerring for the analysis of my setup.  As this is a departure from current state, I do have some follow-up questions...

 

If i understand correctly (forgive me, networking is decidedly NOT my strong suit), i should:

  1. Change the current Guest SSID out of NAT mode and move to bridge mode using tagging to a VLAN set up on the MX specifically for Guests (I would also to do the same for students [dedicate MX VLAN and config SSID in bridge mode])
  2. Ensure Client isolation (layer 2) on for Guest and Student VLANs
    1. I presume the client isolation would be done in Wireless\Firewall Traffic & Shaping\Block IPs and ports\Layer 2 LAN isolation.
    2. Would i also need to add any rules (layer 3) specially in the MX\Firewall area to block as well?
    3. Is Deny "Any" "Local LAN" "Any" specific enough of a rule or do i need to be more so since I am VLAN'ing out my network?
  3. Change to MAC tracking from IP tracking
    1. In the config section for tracking, it states "Clients are identified by their IP addresses. You should use this if there are non-Meraki layer 3 devices routing downstream clients."  As i have Aruba 2530 switches, is this advisable?
  4. I assume what little Layer 7 we do continues to occur at the MR/SSID level?
  5. This will allow for all the clients on the network the benefits of Advanced Security and provide better insight to individual devices?
  6. Do i keep Content Filtering turned off at the SSID?
  7. Thankfully, i have a spare AP that i can play around with and test this out...
    1. Any last gotchas to prepare for?

 

Again, major thanks for taking the time out on a Sunday to help out!

@MarshMadness no worries, happy to help.  Correct, on the MX Address and VLANs page, enable VLANs and if they're not already created, create a Student VLAN and a Guest VLAN and assign a VLAN ID and an IP address in each of those subnets.  Just for example, let's say 10.1.1.0/24 and VLAN 100 for students and 10.2.2.0/24 and VLAN 200 for guests and assume the MX IPs are 10.1.1.1 and 10.2.2.1.  Then on the Wireless Access Control page for each of the SSIDs, change the addressing mode to Bridge (instead of NAT) mode, and further below enable VLAN tagging and in the "all other APs" box put 100 for the Student and 200 for the Guest.  (There will be an SSID dropdown box up top).  

 

Also go to the Wireless > Firewall & Traffic Shaping screen and that's where you can enable L2 isolation for each SSID, definitely for the guests, maybe for the student SSID but perhaps not, depends on your needs or policy.  That's correct, for at least the Guest VLAN, you would want to deny traffic to the local LAN, so guests would be firewalled off and only allowed out to external/public Internet addresses.  You could also add L3 FW rules on the MX firewall page to deny traffic from VLAN 100 to VLAN 200 and vice-versa.

 

If your Aruba 2530 switches in between create any L3 demarc then you could go back to track by IP, otherwise if that's all L2 then leave it track by MAC and naturally make sure that you have the APs connecting back to dot1q trunk ports on the switch and likewise have trunk interfaces between the 2530s and MX allowing VLANs 1,100,200.  Make sure the APs can ping the MX and vice versa and that they're all still online in Dashboard.  

 

Yes, you could still continue to do any L7 stuff you need to at the edge on the APs via the Wireless > Firewall & Traffic Shaping page, except the content filtering which is not available in Bridge mode SSIDs anyway (Q6 below), and that would take place on the MX now on the Content Filtering page.  That should give you the better visibility you're looking for and you have all the Adv Sec features on the MX like you mentioned.  

 

Hope that helps!

 

Thanks again @MerakiDave, this worked out great. I had to take a methodical approach to cutting over specific VLANs first in prep for the guest and student network move, but with them all moved to their new home it appears to be working great. An ancillary benefit that i did not "ask for" but was one that was pointed out in the @NolanHerring response is in regards to impacts for roaming clients (this is looking much better now.)

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels