Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Guest wireless with VLAN Tagging

Solved
CMorinski
Conversationalist
‎Mar 29 2022 7:15 AM
‎Mar 29 2022 7:15 AM

Guest wireless with VLAN Tagging

Trying to setup a guest ssid in my elementary school. Below is how the ISP has our firewall configured. 

 

0/3                         1x.2xx.2xx.1/22                Internal Wireless             VLAN 35 Tagged

0/3.1007                1x.2xx.9x.0/23                   Guest Wireless                  VLAN 1007 Tagged

 

I am new to this process and would like to figure it out instead of contacting my vendor to set it up.  

I assumed I would use NAT Mode but how do I configure firewall settings to pull from my IP pool setup by the ISP instead of this one? (10.0.0.0/8)

NAT mode: Use Meraki DHCP

Clients receive IP addresses in an isolated 10.0.0.0/8 network. Clients cannot communicate with each other, but they may communicate with devices on the wired LAN if the SSID firewall settings permit.
0 Kudos
Subscribe
1 Accepted Solution
In response to CMorinski
ww
Kind of a big deal
Kind of a big deal
‎Mar 29 2022 8:15 AM
‎Mar 29 2022 8:15 AM

Yes , but maybe first configure it on a empty switch port and swap the cable to that port.  In case it doesnt work you can easily go back.

View solution in original post

0 Kudos
Subscribe
11 Replies 11
ww
Kind of a big deal
Kind of a big deal
‎Mar 29 2022 7:24 AM
‎Mar 29 2022 7:24 AM

In nat mode its always using meraki dhcp.

 

I would recommend reading this

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/SSID_Modes_for_Client_IP_Assignme...

Use bridge mode and tag it with vlan 1007.

Configure the firewall to deny  local lan and enable l2 lan isolation

Subscribe
In response to ww
CMorinski
Conversationalist
‎Mar 29 2022 7:39 AM
‎Mar 29 2022 7:39 AM

Thanks!  I did try doing it that way yesterday.  When i try connecting to the guest it will eventually time out just give me a 169.254.x.x IP.

0 Kudos
Subscribe
In response to CMorinski
ww
Kind of a big deal
Kind of a big deal
‎Mar 29 2022 7:46 AM
‎Mar 29 2022 7:46 AM

Do you have trunk ports between the firewall and the switches and to the AP?

 

Are you sure there is a dhcp scope for this subnet?

 

0 Kudos
Subscribe
In response to ww
CMorinski
Conversationalist
‎Mar 29 2022 7:49 AM
‎Mar 29 2022 7:49 AM

My AP's to the switch are set as trunk ports.  My port from switch to firewall is Access.  I did submit a ticket to my ISP to double check the firewall is correct.

 

0 Kudos
Subscribe
In response to CMorinski
ww
Kind of a big deal
Kind of a big deal
‎Mar 29 2022 8:02 AM
‎Mar 29 2022 8:02 AM

That sounds like the problem. A access port transport only 1 vlan(native).   If you want to use more vlans from the firewall you should have trunk ports transporting those vlans

0 Kudos
Subscribe
In response to ww
CMorinski
Conversationalist
‎Mar 29 2022 8:09 AM
‎Mar 29 2022 8:09 AM

I really appreciate the help on this!  So would my native vlan need to be 35 and allowed just need to be 1007??

VLAN35.png

Trunk.png

0 Kudos
Subscribe
In response to CMorinski
ww
Kind of a big deal
Kind of a big deal
‎Mar 29 2022 8:15 AM
‎Mar 29 2022 8:15 AM

Yes , but maybe first configure it on a empty switch port and swap the cable to that port.  In case it doesnt work you can easily go back.

0 Kudos
Subscribe
In response to ww
CMorinski
Conversationalist
‎Mar 29 2022 8:29 AM
‎Mar 29 2022 8:29 AM

Almost had it.  I was able to get the correct IP address but I had no internet.  I got no internet on both my secure or guest ssid.  Could the trunk port for the AP cause issues?  They are not set for vlan 35

APPort.png

0 Kudos
Subscribe
In response to CMorinski
ww
Kind of a big deal
Kind of a big deal
‎Mar 29 2022 8:54 AM
‎Mar 29 2022 8:54 AM

That looks fine.  Maybe vlan 35 is also tagged and native should be 1 on the uplink?, but your previous config shows access port vlan 35, thats confusing.

 

What management IP/subnet does you AP have?

0 Kudos
Subscribe
In response to ww
CMorinski
Conversationalist
‎Mar 29 2022 8:58 AM
‎Mar 29 2022 8:58 AM

VLAN 1 is for my wired devices.  My AP's are pulling their IP from the wired DHCP pool. 

 

0/1                         10.236.68.1/22                   Data

0/3                         10.236.236.1/22                Internal Wireless               VLAN 35 Tagged

0/3.1007               10.236.94.0/23                   Guest Wireless                  VLAN 1007 Tagged

0/4                         10.236.5.1/24                     VOIP

0/5                         10.236.81.1/24                   DMZ                                      (Not being used yet)

0/6                         10.236.32.1/24                   Bell & Intercom

0/7                         Uplink

0 Kudos
Subscribe
In response to CMorinski
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 29 2022 9:58 AM
‎Mar 29 2022 9:58 AM

I think a good test might be to configure a port in access mode on each VLAN and test the connection with a laptop to validate that the connection to each VLAN is working as expected.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.