NAT vs Bridged mode, How does it work?

Solved
TimBisel
Getting noticed

NAT vs Bridged mode, How does it work?

Loaded Question and if anyone has links to information I can reference I will take it. 

 

My company is currently using Meraki Equipment, but at default configurations. I need to prove the usefulness of proper configuration to be permitted to configure them.

 

The Wireless I am having a hard time justifying the change from everything on one VLAN, bridge for internal and NAT mode for Guest, to Bridge for both with separate VLANS. My understanding is all the Guest and Internal data will go over same VLAN but will only be separated inside that network via NAT, so all the data with exceptions of correct IPs could still be captured. Our Guest Wifi is mainly used by employees who bring phones or tablets to work and want internet connection.

 

Currently APs are plugged into access port on VLAN 1, I want Trunk port, production and Guest VLAN, with Management VLAN as native.

 

Are they right and I am over thinking it? Just seems physical separation is better then relying on NAT.

 

 

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

Bridging gives you the best roaming experience.  NAT mode can often force a disconnect, as the IP you get off one AP may not be used on another.

 

I would be using bridging for both SSIDs if you have multiple APs.

View solution in original post

2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal

Bridging gives you the best roaming experience.  NAT mode can often force a disconnect, as the IP you get off one AP may not be used on another.

 

I would be using bridging for both SSIDs if you have multiple APs.

Fady
Meraki Employee
Meraki Employee

Hi Tim

 

Let me first advise you how the NAT works with APs and then will cover best practice for Guest and Corp traffic on wireless.

 

If you set one SSID to be in NAT mode, the users will get an IP within 10.0.0.0/8 range which will be generated from the access point itself and these IPs will get NAT-ted out with AP management IP and then it will follow the routing table of the network.

When you configure the SSID in Bridge, you will see all Layer 3 decisions will happen by the upstream device to the AP.

 

To separate the Guest traffic or isolate it, you will need to apply Access Lists or Firewall rules from the upstream devices to avoid the management IP of the AP from talking to the other subnets which can be tricky if you don't manage the routers or firewalls.

 

The best option to isolate the Guest traffic is to use MX at your DMZ or gateway and tunnel the guest SSID so the traffic will be encrypted all the way from the Access Point to the MX and then breakout from their. You can install centralized MX and get all the Guest traffic tunnels to that box and breakout to internet from there.

 

Please check this document for more information.

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/SSID_Tunneling_and_Layer_3_Roamin...

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels