Good morning everyone!
I hate for my first posting to this community (other than my intro) to be a problem that I'm working on, but its something I could use some help with; particularly if Meraki may have a solution that doesn't require me to "over-engineer" my network too much.
I have 9 Meraki MR18-WAPs placed throughout my City Hall with SSIDs for "Staff" and "Public." My Staff SSID requires an AD-verified login for employees only, and the Public SSID is for anyone, with a Splash page acknowledgement. These WAPs are connected to a 4-switch stack of Catalyst3650's (IDF) with their own Vlan. The IDF stack is connected to a MDF 48-port L3 Catalyst3650, that is my core switch. The MDF switch is connected to a Firewall for outside access to the internet. Staff logins are assigned an IP from my DHCP server; Public logins are assigned IP's by the WAP. Staff logins are able to access the full scope of the city network and the internet. Public logins are only able to access the internet; this is done via IDF-to-MDF-to-FW - no deviation into the local LAN is permitted for Public.
My boss' desire that I'm coming up with ideas for:
Keep all the WAPs as is, but run the traffic through a device that will separate the Staff and Public traffic. Run all the Staff traffic through the LAN, out the firewall to internet (or within the LAN for work and to access our Server Farm). Run the Public traffic on a separate physical line directly to a private-internet company modem that he had installed a few weeks ago.
now I've been thinking on various ideas using an IDF switch to a separate ISR4321 and using VRF-Lite or some other types of experimentation with my configurations to split the traffic, using vlan tagging on the WAP, etc....
Is there a Meraki switch, router, FW device that I could probably utilize that I could do this with?
Any ideas, suggestions, "out-of-the-box" thinking is welcome! Keep in mind, we are a "Cisco Shop" so all of my devices are all Cisco and if possible, we prefer to stay that way. Understand, Meraki devices do "qualify" as a Cisco device to us.
thank you everyone for your thoughts and suggestions!
unfortunately, it isn't that simple... the MR18 WAP has only 1 ethernet port, so you could L2 trunk it, but eventually you would have to put it through some type of routing in order to split off the two sets of traffic and keep them separated for the remainder.
I would like it if I could that!
I would just create a new VLAN on the switches and then convert the Guest SSID to bridged mode and dump to that VLAN. If the private Internet modem can't act as a router then obviously you'll need something there. You could go the cheap route and buy a D-Link at the local Bestbuy, or grab an Meraki MX64 for a more complete solution depending on your needs.
As long as you don't create any SVI's on your switches for this VLAN you will have logical separation with no possibility of Guest traffic getting into your Corp network.
Edit: Which is what @ww said...