cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Single SSID and Vlans versus 1:1

Here to help

Single SSID and Vlans versus 1:1

Just fooling around with my home network, and looking into if it is possible to assign varius devices to various vlans based on MAC adress by the use of only Merak and Meraki SM, anyone have any tips?

 

A second option is to assign access to vlans based on SSID, but what is the preferred way to assign access when the client needs to access say a vlan providing internet, a vlan providing TV services/apple TV/android/chromecast.

 

For Apple maybe Bonjour broadcast?

 

You migth say that this is not needed for home deployment, but I´m experimenting because alot of techs say that you need ISE, Clearpass etc. Alongside to provide the sec. And features needed in an ent. Environment, but would it be possible with Meraki only to provide a secure SMB network 

5 REPLIES 5
Kind of a big deal

Re: Single SSID and Vlans versus 1:1

You can assign VLANs for wireless dynamically using Group Policies:

 

2019-07-31 14_18_43-Group policies configuration - Meraki Dashboard.png

 

And Group Policies can be manually applied to users based on MAC addresses.

 

Don't think you can do it on the wired side without RADIUS server.

 

You'll likely experience issues using services like chromecast, apple tv, sonos etc. if they reside in a different VLAN than what your client is in. There are topics about this.

Getting noticed

Re: Single SSID and Vlans versus 1:1

As @BrechtSchamp mentioned, Group Policy is probably the best way. You can even add a client to a network by entering its MAC address in the dashboard, even if the client hasn't connected yet:

 

2019-07-31 14_52_02-Dashboard.pngNetwork-wide -> Clients

This way you can have some clients on different VLANs but on the same SSID. You would probably setup ISE/RADIUS in an enterprise if you want to do this dynamically, e.g. based on group membership in Active Directory etc.

You could also allow traffic like AirPrint, AirPlay etc. by setting firewall rules in group policies.

 

HTH

Building a reputation

Re: Single SSID and Vlans versus 1:1

Not only apple devices use Bonjour.
Most windows clients also run the bonjour service to discover mDNS services on the local LAN.

 

If you're running mDNS services (like printers or video stuff) you can easily detect that by running a packet capture and look for link local multicast 224.0.0.0/24 and it would actually say mDNS.

If that happens you can very easily forward those messages to the user VLANs by enabling this feature.

Highlighted
Building a reputation

Re: Single SSID and Vlans versus 1:1

You won't get Chromecast discovery (or things like TiVo that use "Googlecast" ) between subnets  without using something along the lines of Avahi.

 

Once you 'discover the devices'things are fine.

 

I have a Raspberry Pi providing that capability at home (if I don't have control over the behaviour a device it goes onto the Home Appliance network and this is where Chromecasts, TiVOs etc live)

Here to help

Re: Single SSID and Vlans versus 1:1

Well group policy and MAC won't work since the users are on different systems at any given time.

I ended up using Jumpcloud and setting attributes to users at this point. Since my intention was to schedule service availability to users and not systems this was the best way.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.