We have 3 SSID's right and SSID#1 is for our internal network which is set up with our LAN network. SSID#2 is for our employees to have the internet on their personal devices and SSID#3 is Test.
Now we are trying to setup a new SSID by segregating the new VLAN but before that we have to present the Concept to our Team as well.
can we help me with the possible best ways to implement this new setup please!
From my Point of view this can be done by the Firewall policy only
thank in advance
is a good place to start
You can just create an SSID and use Meraki DHCP which separates everything from your internal network? If you're just trying to have segregation it would be the simplest and fastest way to setup. You can try it on your "Test" SSID and see how it works.
Make sure you set the SSID firewall so that the guest wifi doesn't have access to your normal network. It can be easy to miss, even if you're following that doc.
You can do the above as everyone has stated. Set the Wireless SSID to Meraki DHCP and create the SSID that way. Meraki will do all the work for you and assign a subnet for the guests, you will not have any input as to what subnet you can use except that it will be in the Class A subnet of 10.0.0.0/8. This will not allow any communication within the members of this VLAN, but they will be allowed to talk to anything on your wired LAN if you permit, you can go into the SSID Firewall settings and edit its access as you require. Note that if you require the clients to have access to things such as a chromecast or apple tv for presentations this will probably not be a route for you.
If you want more control then it will be a bit more work on your end. You can create the VLAN and restrict any local LAN access, or allow depending on your firewall settings. Utilizing this method will allow you to choose a more specific VLAN and add other devices to that VLAN that your Guests will require access to.
Here's an example to block a particular VLAN (this allows access within the VLAN but not to my local network):
Furthermore, if you need to change the access of the wireless clients by denying specific content per your company policy. You can do that on a per SSID basis under "Firewall & traffic shaping" in Wireless section and it will work on that Guests SSID without affecting the rest of your network, if you do it on the "Security & SD-WAN" it will apply to your entire network traffic, not on a per SSID basis.
Basically, if you require more control and have to implement other devices into the Guest VLAN then I would recommend creating a VLAN for this Guest Network applying all firewall rules to segregate the traffic.
Otherwise if you just require them to be on a segregated network without impacting your local network, go with the Meraki DHCP option, it's easy and simple to deploy and you can tie in additional layer 7 rules.