cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Building segregated VLAN for Guest wifi

Comes here often

Building segregated VLAN for Guest wifi

Hello all

 

We have 3 SSID's right and SSID#1 is for our internal network which is set up with our LAN network. SSID#2 is for our employees to have the internet on their personal devices and SSID#3 is Test.

Now we are trying to setup a new SSID by  segregating the new VLAN but before that we have to present the Concept to our Team as well.

 

can we help me with the possible best ways to implement this new setup please! 

 

From my Point of view this can be done by the Firewall policy only

 

any ideas?

 

thank in advance

 

 

7 REPLIES 7
Kind of a big deal

Re: Building segregated VLAN for Guest wifi

Configuring Simple Guest and Internal Wireless Networks

 

is a good place to start

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Kind of a big deal

Re: Building segregated VLAN for Guest wifi

You can just create an SSID and use Meraki DHCP which separates everything from your internal network? If you're just trying to have segregation it would be the simplest and fastest way to setup. You can try it on your "Test" SSID and see how it works.

A model citizen

Re: Building segregated VLAN for Guest wifi

Which is what we are doing, seems a good way to keep separation of church and state. 

Kind of a big deal

Re: Building segregated VLAN for Guest wifi

Make sure you set the SSID firewall so that the guest wifi doesn't have access to your normal network. It can be easy to miss, even if you're following that doc.

Kind of a big deal

Re: Building segregated VLAN for Guest wifi

As @Nash stated just check your "firewall and traffic shaping" rules for wifi and make sure this is set to Deny.

 

Capture.PNG

A model citizen

Re: Building segregated VLAN for Guest wifi

Pretty straightforward me thought.

Highlighted
Getting noticed

Re: Building segregated VLAN for Guest wifi

@Naimro 

 

You can do the above as everyone has stated. Set the Wireless SSID to Meraki DHCP and create the SSID that way. Meraki will do all the work for you and assign a subnet for the guests, you will not have any input as to what subnet you can use except that it will be in the Class A subnet of 10.0.0.0/8. This will not allow any communication within the members of this VLAN, but they will be allowed to talk to anything on your wired LAN if you permit, you can go into the SSID Firewall settings and edit its access as you require. Note that if you require the clients to have access to things such as a chromecast or apple tv for presentations this will probably not be a route for you.

 

Screen Shot 2019-05-13 at 12.36.42 PM.png

 

If you want more control then it will be a bit more work on your end. You can create the VLAN and restrict any local LAN access, or allow depending on your firewall settings. Utilizing this method will allow you to choose a more specific VLAN and add other devices to that VLAN that your Guests will require access to.

Here's an example to block a particular VLAN (this allows access within the VLAN but not to my local network):

Screen Shot 2019-05-13 at 12.43.05 PM.png

 

Furthermore, if you need to change the access of the wireless clients by denying specific content per your company policy. You can do that on a per SSID basis under "Firewall & traffic shaping" in Wireless section and it will work on that Guests SSID without affecting the rest of your network, if you do it on the "Security & SD-WAN" it will apply to your entire network traffic, not on a per SSID basis.

 

Basically, if you require more control and have to implement other devices into the Guest VLAN then I would recommend creating a VLAN for this Guest Network applying all firewall rules to segregate the traffic. 

Otherwise if you just require them to be on a segregated network without impacting your local network, go with the Meraki DHCP option, it's easy and simple to deploy and you can tie in additional layer 7 rules. 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.