Using built-in DHCP server to serve guest WiFi

IJ
Here to help

Using built-in DHCP server to serve guest WiFi

Hi, one of the schools we look after has had a new install of a stack of two Meraki MS-250 switches, and a number of MR44 WiFi access points.  The school want a guest SSID setting up.
 
The network has an IP range of 172.16.80.0 - 172.16.83.254, subnet 255.255.252.0, gateway 172.16.83.254
 
We have a DHCP scope for clients (this is external and not sourced from the switch) that gives out 172.16.81.1 to 172.16.82.254 (172.16.80.x used for servers, switches, printers etc., and 172.16.83.x currently not being used), they all use VLAN 60.
 
The head wants to introduce a guest WiFi network, but has been advised by the local authority that he must be able to monitor/log what is accessed (using the school's local filtering equipment), therefore we won't be able to set up the built in Meraki guest option where clients get a 10.0.0.0 address, because as far as we can see, all visited sites on the guest SSID would appear on the IP address of the WiFi access point used, with no way of separating it (this option would be perfect otherwise).
 
I understand the switches support Layer 3 routing - I have no experience at all at this level, so could someone look at what I've got in my head (below) and tell me if it's possible?
 
Basically, I was thinking that we might be able to tag the guest SSID with it's own VLAN (for instance, VLAN 61) and then, using the built in DHCP server in the switch, have a scope for this VLAN 61 on giving out addresses of 172.16.83.1-172.16.83.100 (utilizing the unused 172.16.83.x range in the network), but (and this is where I'd be completely lost) somehow then send this traffic, which is on the correct IP address but wrong VLAN, across to the correct VLAN (60) and out of the switch in the same way as the normal traffic from VLAN 60.
 
Is this an option?  I understand we that it would otherwise be an option to keep this guest traffic on it's VLAN 61 until it leaves the switch and have something done at the external firewall side, but we don't have much support from the people who provide our internet and firewall links, so if the guest traffic was able to leave the switch on individual addresses of 172.16.83.x, and be in VLAN 60, that would I think do the job.
 
Thanks for reading, any tips appreciated.
3 Replies 3
alemabrahao
Kind of a big deal
Kind of a big deal

You can create a new VLAN for the guest SSID on your MS250. This will logically separate the guest network traffic from your main network (VLAN 60).

 

The MS250 switches have a built-in DHCP server. You can configure this to provide IP addresses in the range 172.16.83.1-172.16.83.100 for VLAN 61.

 You can configure your Layer 3 switch to route traffic from VLAN 61 to VLAN 60. This is done by creating Layer 3 interfaces or Switch Virtual Interfaces (SVIs) for each VLAN.

 

You can configure the guest SSID on your MR44 WiFi access points to use VLAN 61. This means any device connecting to the guest SSID will be given an IP address in the 172.16.83.x range and will be logically separated on VLAN 61.

 

As the traffic is now being routed through your switch, you should be able to monitor and log what is accessed using the school’s local filtering equipment.

 

Please note that while this setup should theoretically work, it’s always a good idea to test it in a controlled environment before deploying it in a live network. Also, remember to secure the guest network appropriately to prevent unauthorized access.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
IJ
Here to help

Thanks so much Alemabrahao, now that I know that it is in theory possible, I'll have a little tinker with it all.  I think I've got it giving out the correct IP addresses on my new guest VLAN, but the part of routing that to the other VLAN is something that I will have to have a good think about.  If I get stuck, any chance of a few pointers (please!)?

 

Thanks,

IJ

 

PhilipDAth
Kind of a big deal
Kind of a big deal

You really should put the layer 3 VLAN on your firewall so you can keep the guest traffic separate from everything else.

Get notified when there are additional replies to this discussion.