Single SSID and Vlans versus 1:1

Kenneth
Getting noticed

Single SSID and Vlans versus 1:1

Just fooling around with my home network, and looking into if it is possible to assign varius devices to various vlans based on MAC adress by the use of only Merak and Meraki SM, anyone have any tips?

 

A second option is to assign access to vlans based on SSID, but what is the preferred way to assign access when the client needs to access say a vlan providing internet, a vlan providing TV services/apple TV/android/chromecast.

 

For Apple maybe Bonjour broadcast?

 

You migth say that this is not needed for home deployment, but I´m experimenting because alot of techs say that you need ISE, Clearpass etc. Alongside to provide the sec. And features needed in an ent. Environment, but would it be possible with Meraki only to provide a secure SMB network 

5 REPLIES 5
BrechtSchamp
Kind of a big deal

You can assign VLANs for wireless dynamically using Group Policies:

 

2019-07-31 14_18_43-Group policies configuration - Meraki Dashboard.png

 

And Group Policies can be manually applied to users based on MAC addresses.

 

Don't think you can do it on the wired side without RADIUS server.

 

You'll likely experience issues using services like chromecast, apple tv, sonos etc. if they reside in a different VLAN than what your client is in. There are topics about this.

hoempf
Getting noticed

As @BrechtSchamp mentioned, Group Policy is probably the best way. You can even add a client to a network by entering its MAC address in the dashboard, even if the client hasn't connected yet:

 

Network-wide -> ClientsNetwork-wide -> Clients

This way you can have some clients on different VLANs but on the same SSID. You would probably setup ISE/RADIUS in an enterprise if you want to do this dynamically, e.g. based on group membership in Active Directory etc.

You could also allow traffic like AirPrint, AirPlay etc. by setting firewall rules in group policies.

 

HTH

GIdenJoe
Kind of a big deal

Not only apple devices use Bonjour.
Most windows clients also run the bonjour service to discover mDNS services on the local LAN.

 

If you're running mDNS services (like printers or video stuff) you can easily detect that by running a packet capture and look for link local multicast 224.0.0.0/24 and it would actually say mDNS.

If that happens you can very easily forward those messages to the user VLANs by enabling this feature.

cta102
Building a reputation

You won't get Chromecast discovery (or things like TiVo that use "Googlecast" ) between subnets  without using something along the lines of Avahi.

 

Once you 'discover the devices'things are fine.

 

I have a Raspberry Pi providing that capability at home (if I don't have control over the behaviour a device it goes onto the Home Appliance network and this is where Chromecasts, TiVOs etc live)

Kenneth
Getting noticed

Well group policy and MAC won't work since the users are on different systems at any given time.

I ended up using Jumpcloud and setting attributes to users at this point. Since my intention was to schedule service availability to users and not systems this was the best way.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.