MX and guest network

Dash
Conversationalist

MX and guest network

We are planning to install several MX in multi-site.  Each location will have their own subnet.  But is it possible to create guest network using the single subnet  across all MX?

8 Replies 8
Markus
Here to help

When you configure the MX networks in the template, you can configure each of them as „same“ or „different“.

 

Just configure the Guest Network as „same“

PhilipDAth
Kind of a big deal
Kind of a big deal

Are you wanting the same layer domain to span all the sites and exit just one of them?

 

Or do you just want to use the same VLAN number at each site, but that VLAN will go out the local MX and not not be connected to the same VLAN at other sites?

Adam
Kind of a big deal

Will each MX have its own internet connection?  If so then you could safely use the same subnet on all of the MX's and just have it route out the internet.  A few things to keep in mind.

1.  If your MXs are VPN'd together then make sure to not include the guest subnets in the VPN

2.  If you make a guest vlan/subnet on the MX it will automatically be routable to/from your production network so you'll need to go to Security Appliance>Firewall to create a rule to prevent the guest vlan/subnet from being able to talk to your other vlan/subnets. 

3.  Any device on the guest subnet will be able to see/ping any other device on the guest subnet unlike the way the wireless Meraki guest subnet works with segregating each client. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Dash
Conversationalist

For your point 3.

 

How should I set it if I dont want them to see/ping each other?

Adam
Kind of a big deal

@Dash you can create the same vlan/subnet at each site as long as it isn't part of the VPN tunnel so you don't get routing issues between sites.  Regarding point 3, I haven't found a way to accomplish that.  I contacted Meraki support and they didn't have a solution so I just made two public vlans.  Secure public and regular public.  The secure public is the public only subnet/vlan where I'd failover my 802.1x devices and devices that would otherwise be secure.  The regular public subnet is for devices that are not otherwise secure and just need internet.  Crude solution but I haven't come up with a better one in the meantime.  @PhilipDAth any ideas for this?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Markus
Here to help

Hi Dash,

 

if you use the template, configure the network as "same", so they are the same in each site, including vVan id and IP Address.

Also set "in VPN" to no, so this network is only local and they can not ping each other over the VPN.

In your case, I would also assign a group policy with some firewall rules, so that guests can conly connect to the internet, and not to other local LANs.

Dash
Conversationalist

Or do you just want to use the same VLAN number at each site, but that VLAN will go out the local MX and not not be connected to the same VLAN at other sites?

 

Yes they will be in same VLAN and not be connected to the same VLAN at other sites

Uberseehandel
Kind of a big deal

If you are creating a guest network, and by that you mean a network that

  • does not allow access to the local network
  • isolates guest users from each other

then it does not have to extend across all sites. If fact that just adds extra complications. The guest network at each site/location can require the same user credentials across all the sites.

 

Isolated guest network creation - 

Go to Wireless > SSIDs 

If the SSID you wish to use for guests does not exist, set it up, or edit the settings for that SSID.

Then on the Access Control page set up the environment

Under the section headed - Addressing and traffic you will see 
Client IP assignment  - this gives you the option to select   - NAT mode: Use Meraki DHCP
Clients receive IP addresses in an isolated 10.0.0.0/8 network. Clients cannot communicate with each other, but they may communicate with devices on the wired LAN if the SSID firewall settings permit.

 

Then ensure that guest users never access the local network. Usually I apply a group policy that stops guests running peer-to-peer applications (file sharing) and adjust the minimum network speed so that 802.11b is not supported as that severely restricts throughput.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels