Loaded Question and if anyone has links to information I can reference I will take it.
My company is currently using Meraki Equipment, but at default configurations. I need to prove the usefulness of proper configuration to be permitted to configure them.
The Wireless I am having a hard time justifying the change from everything on one VLAN, bridge for internal and NAT mode for Guest, to Bridge for both with separate VLANS. My understanding is all the Guest and Internal data will go over same VLAN but will only be separated inside that network via NAT, so all the data with exceptions of correct IPs could still be captured. Our Guest Wifi is mainly used by employees who bring phones or tablets to work and want internet connection.
Currently APs are plugged into access port on VLAN 1, I want Trunk port, production and Guest VLAN, with Management VLAN as native.
Are they right and I am over thinking it? Just seems physical separation is better then relying on NAT.
Let me first advise you how the NAT works with APs and then will cover best practice for Guest and Corp traffic on wireless.
If you set one SSID to be in NAT mode, the users will get an IP within 10.0.0.0/8 range which will be generated from the access point itself and these IPs will get NAT-ted out with AP management IP and then it will follow the routing table of the network.
When you configure the SSID in Bridge, you will see all Layer 3 decisions will happen by the upstream device to the AP.
To separate the Guest traffic or isolate it, you will need to apply Access Lists or Firewall rules from the upstream devices to avoid the management IP of the AP from talking to the other subnets which can be tricky if you don't manage the routers or firewalls.
The best option to isolate the Guest traffic is to use MX at your DMZ or gateway and tunnel the guest SSID so the traffic will be encrypted all the way from the Access Point to the MX and then breakout from their. You can install centralized MX and get all the Guest traffic tunnels to that box and breakout to internet from there.