Meraki

Community

client isolation - sort of

braham_ilg
Here to help
a month ago
a month ago

client isolation - sort of

I need advice on following scenario: full Meraki network. I have an SSID for Office users, one for Guest.

 

I also have some IOT devices (warehouse scanners that only need to talk to a cloud service), but I don't want to create a separate SSID just for them. The Guest SSID can't be used because of the splash page (unless there is a way to circumvent that).

 

So next logical step would be having them connect to the office SSID, putting them in their own little VLAN, and isolate them from the rest of the office network. I created a VLAN, Group Policy, etc. and assigned it. In the group policy I blocked all traffic to RFC1918 networks.

 

The following happens: because there is no local DNS server, the MX is proxy-ing DNS requests. This works fine for other internal VLANs (wired, office wireless). But in this case, I guess because of the RFC1918 deny rule, it won't even ping the default gateway. Am I correct in assuming this is how it is supposed to work ? I thought the default gateway was always available ?

 

  

0 Kudos
4 Replies 4
PatWruk
Getting noticed
a month ago
a month ago

If you're using Meraki NAT on the Guest SSID, the AP will become the gateway for any devices connected to that SSID and handle the DNS requests. You can put the devices on there then assign a group policy to them to bypass the splash page. That's how we do it at our locations for IOT devices.

 

In the group policy page under Wireless Only -> Splash, select Bypass.

0 Kudos
In response to PatWruk
alemabrahao
Kind of a big deal
Kind of a big deal
a month ago
a month ago

This approach of assigning a group policy by device type, in 98% of cases, doesn't work well if you're only using Meraki; ideally, you should have Cisco ISE.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
PatWruk
Getting noticed
a month ago
a month ago

In our case, we have 1 device per location (~50 locations) that can't handle splash screens and show up as "Android". We don't assign by device type, we get the mac from the end user then apply the group policy to that device. If the device gets lost/broken then we apply the policy to the new one.

 

We may be able to find a way to have it handle .1x but we don't really want to create another SSID for 1 device when we already have a public wifi and the device only needs internet access, no internal connectivity

0 Kudos
alemabrahao
Kind of a big deal
Kind of a big deal
a month ago
a month ago

I don't see the logic in this scenario. If it were a division of VLANs by floors or buildings on a corporate SSID, it would make sense, but for IoT and Guest networks, the ideal is to keep them on separate SSIDs.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2026 Cisco Systems, Inc.