Guest SSID with Special Privileges

Shadius
Building a reputation

Guest SSID with Special Privileges

Hi all,

 

I'd like to create an SSID for guests to access the Internet and also be able to only have accces to our organization's printers.

 

Is there a way to do this while restricting access to the rest of our network resources?

7 REPLIES 7
Inderdeep
Kind of a big deal

@Shadius : Check this out 

https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Configuring_Simple_Guest_and_Inte...

 

 

Regards
Inderdeep Singh
www.thenetworkdna.com ( Awarded by Cisco IT Blogs award 2020)
Shadius
Building a reputation

According to this article, I can set my "guest" network to NAT mode: Use Meraki DHCP to have the guests on a 10.0.0.0/8 network and still permit them access to the wired LAN network if the SSID firewall settings permit. However, if I allow access to the Local LAN through the SSID firewall settings, will this only apply to the printers on the Local LAN or everything in the Local LAN?

Inderdeep
Kind of a big deal

@Shadius : You need to setup below 

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/'Deny_Local_LAN'_settings_in_Cisco_... 

Regards
Inderdeep Singh
www.thenetworkdna.com ( Awarded by Cisco IT Blogs award 2020)

Where does your org's printers reside? Their own subnet? If so it's easily accomplished with firewall rules and such.

 

If your org is large and printers span multiple subnets, networks, etc, it may be more difficult to accomplish and manage.

GIdenJoe
Kind of a big deal

Preferably use bridge mode unless you have no other choice.

 

Preferably have printers on their own VLAN so you can allow traffic via the MR firewall and traffic shaping configuration of the guest SSID.  If this is not possible you can still have fixed IP's on your printers or just allow TCP to the ports used by printers.

Anonymous
Not applicable

The easiest and simple way to do it would be to create a NAT mode SSID with Meraki DHCP and then create firewalls rules on the Meraki AP's to only permit access to the specified LAN IPs of the Printers.

 

Below are two KB articles that will assist you with the configuration; 

 

NAT mode SSID with Meraki DHCP -

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/NAT_Mode_with_Meraki_DHCP

 

MR Firewall Rules -

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/MR_Firewall_Rules

 

 

Shadius
Building a reputation

We are trying to decide whether we should put the printers on their on subnet or VLAN. I'm not sure what the best practice is for this scenario.

I guess I could just add firewall rules for each printer's IP address. The printers all have static IP addresses.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.