Hey all,
We're about to test out a Meraki wireless solution for a client. Part of the solution's requirement is to match the existing legacy Cisco WLC design (sitting within DMZ) for Guest Wi-Fi traffic, integrating with ISE for central web authentication.
Therefore, we're going to put a MX250 (in one-armed mode) within the clients DMZ as a concentrator in order to segregate guest SSID traffic from corporate traffic.
Now what I'm unsure and I'm hoping for people more knowledgeable to confirm my understanding.
Since the MX250 will be configured in one-armed mode as recommended in SSID tunneling doco.
My understanding is that we can design it in a way with the MX250 WAN1 port trunked to the DMZ switch/firewall with two configured VLANS on the trunk port.
With say VLAN 243 as the management/Out-of-band VLAN for MX250 AND as the tunnel endpoint for MR access points?
The other VLAN 305 will be for tagged guest SSID traffic egress from MX to external FW/Internet?
By doing this we're separating mgmt/out-of-band traffic.
Therefore, in terms of configuration.
WAN1 port on MX250 as per below tagged with VLAN 243?
Guest SSID would be configured with traffic tagged on VLAN 305 as per below?
The doco about SSID tunneling unfortunately isn't really comprehensive, so I appreciate if anyone could validate the above.