cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How do I set Addressing and traffic to isolate endpoints and allow wireless printers/speakers?

SOLVED
Conversationalist

How do I set Addressing and traffic to isolate endpoints and allow wireless printers/speakers?

I have laptops, wireless printers, and wireless speakers on my network.

 

I want to isolate the laptops from each other, but I want them to be able to print and set the music on the speakers.

 

This works with Addressing and traffic on all SSIDs set to Bridge mode: Make clients part of the LAN.

 

The printers and speakers are on SSID MyCompany-DevicesAddressing and traffic on this SSID is set to Bridge mode: Make clients part of the LAN.

 

The laptops are on SSID MyCompany-CorpAddressing and traffic on this SSID is set to Bridge mode: Make clients part of the LAN.

 

If I set Addressing and traffic on SSID MyCompany-Corp to NAT mode: Use Meraki DHCP, will the laptops still be able to access the printers and speakers on MyCompany-Devices?

 

How do I set Addressing and traffic to isolate endpoints and allow wireless printers/speakers?

1 ACCEPTED SOLUTION

Accepted Solutions
Kind of a big deal

Re: How do I set Addressing and traffic to isolate endpoints and allow wireless printers/speakers?

I think I would use two SSIDs, one for client isolation and for for devices that are shared.  I would stick to using bridge mode.

 

You can read about client isolation here:

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Wireless_Client_Isolation

 

6 REPLIES 6
Kind of a big deal

Re: How do I set Addressing and traffic to isolate endpoints and allow wireless printers/speakers?

You can go to Wireless/ "Firewall and Traffic shaping" to allow the printers/speakers to communicate with network. Here is an example.

 

Capture.PNG

Conversationalist

Re: How do I set Addressing and traffic to isolate endpoints and allow wireless printers/speakers?

@kYutobi thank you for the suggestion.

 

I tried a Layer 3 firewall rule with Allow Any Any Any. It didn't work. Based on conversations with support, comms from NAT clients will only work with wired devices as described here:

 

"but they may communicate with devices on the wired LAN if the SSID firewall settings permit." (emphasis mine)

Highlighted
Getting noticed

Re: How do I set Addressing and traffic to isolate endpoints and allow wireless printers/speakers?

@AlainODeaSB

Did you edit the firewall rules on the SSID? Wireless-> Firewall & Traffic Shaping
You need to make sure they are edited on the "MyCompany-Corp" SSID.

 

Do your printers and speakers need to be on the same subnet as the clients? Such as a Chromecast Audio.

 

If you do not want your Clients talking with each other on the "MyCompany-Corp" consider the following:
https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Wireless_Client_Isolation
You would enable the SSID as Bridge Mode and enable the Layer 2 isolation.

Per the DOcument:

"Any traffic bound for an address on the same VLAN as a device in client isolation will be denied. Traffic bound for other VLANs will be forwarded and routed normally."

 

Conversationalist

Re: How do I set Addressing and traffic to isolate endpoints and allow wireless printers/speakers?

The printer and speakers do not need to be on the same subnet, they just need to be reachable directly by their private IPs.

Kind of a big deal

Re: How do I set Addressing and traffic to isolate endpoints and allow wireless printers/speakers?

I think I would use two SSIDs, one for client isolation and for for devices that are shared.  I would stick to using bridge mode.

 

You can read about client isolation here:

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Wireless_Client_Isolation

 

New here

Re: How do I set Addressing and traffic to isolate endpoints and allow wireless printers/speakers?

Should you be using the same vlan on those SSIDs? 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.