Using Meraki DHCP (NAT Mode)

SOLVED
KR7766
Here to help

Using Meraki DHCP (NAT Mode)

Hello Meraki Community!

 

I'm researching the possibility of using Meraki DHCP (NAT Mode) to provide client addressing for a new "Guest Wireless" SSID, and wondering if I could make it work (securely) in an environment where the guest traffic needs to be completely isolated from management traffic and traffic on other SSID's.

 

Based on what I've read, VLAN tagging is not allowed in NAT Mode, so my assumption is if I use NAT Mode for guest wireless, that traffic will end up on the native VLAN (which is currently my management VLAN). Using the native VLAN for guest traffic does not sound secure to me, so I'm wondering if it's even possible to completely isolate traffic on an SSID that uses NAT Mode. 

1 ACCEPTED SOLUTION
Robthesoundguy
Here to help

While it's not as robust as VLAN's with ACL's at the switch level, there is a setting that will prevent wireless clients from accessing the LAN. Wireless -> Configure -> Firewall & Traffic Shaping. 

 

From there, choose your SSID on the drop-down. Under the heading of Block IPs and ports, you'll be able to change the layer 3 firewall rule policy to deny for access to local LAN. 

View solution in original post

4 REPLIES 4
Robthesoundguy
Here to help

While it's not as robust as VLAN's with ACL's at the switch level, there is a setting that will prevent wireless clients from accessing the LAN. Wireless -> Configure -> Firewall & Traffic Shaping. 

 

From there, choose your SSID on the drop-down. Under the heading of Block IPs and ports, you'll be able to change the layer 3 firewall rule policy to deny for access to local LAN. 

@Robthesoundguy. Thank you for explaining how to do this using the firewall functionality in the AP. This sounds like the best option without significant changes to the existing network configuration. 


KarstenI
Kind of a big deal
Kind of a big deal

You can move your management-traffic to an alternate Management-VLAN and let the guest traffic flow native. On the switch port the native traffic gets tagged as needed:

https://documentation.meraki.com/MR/Other_Topics/Alternate_Management_Interface_on_MR_Devices

Only downside is that Dashboard-traffic is still mixed with guest-traffic.

Thanks @KarstenI. I appreciate the information and link you provided!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels