Best Practice for New Wireless Network

techsupportdor
Here to help

Best Practice for New Wireless Network

Hi All,

 

I'm just looking for views on the best way to deploy a new wireless network with regards network security.

 

Should you place all the access points in a management dmz so it is physically in an isolated location on your firewall?

Then use your firewalls security policies to allow say the Corporate SSIDs VLAN through onto the trusted network.

Then with a guest SSID, just allow that VLAN access to the internet.

 

Or do you use the builtin security on the Meraki APs and secure the network from the access point.

 

 

I have deployed Meraki APs before, but was told to put them in a DMZ as above, but that then has a performance impact as the traffic is inspected by the firewall.

 

Any suggestions on how you do it are welcome.

 

Thanks

4 Replies 4
BrechtSchamp
Kind of a big deal

There's multiple ways to do go about this.

 

For the corporate users, I'd just have a corp SSID that adds the correct VLAN tag to the incoming packets.

 

For the guests, either you create a guest VLAN, and go about it that way, similarly to the corp SSID. Or you create a Meraki DHCP SSID that isolates the guests from each other and limits them to access the internet, not the local LAN.

 

The advantage of the former is that you can define the policies for guests in the same firewall as your other policies. You'll also have more insight into what the clients are doing individually as they're not NATed by the AP.

 

The advantage of the latter is that your guests are using the same address range over and over in each access point so you don't have to worry about DHCP pools exhausting. Roaming, as a consequence, will be less seamless in this setup.

 

A bit like described here:

https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Configuring_Simple_Guest_and_Inte...

techsupportdor
Here to help

Hi BrechtSchamp, thank you for your comments.

So installing the APs inside your firewall and using the Meraki DHCP is just as secure as installing the APs in your DMZ and using your firewall to secure the traffic.

I have used the Meraki DHCP before for guest SSIDs but it does sometimes conflict with Guest VPN connections due to conflicting network ranges.
BrechtSchamp
Kind of a big deal

Well, from a security perspective I'd rather have my firewall have full insight in what the endpoints are doing instead of it just seeing everything come from the access point. Just make sure your segmentation is done correctly end to end so your guest and corporate traffic is really separate.

 

The conflicting ranges is indeed something that sometimes occurs. Unfortunately, whichever solution you choose, sooner or later this will happen. It's a result of the fact that the RFC1918 ranges are free for anyone to be used as they please. Unfortunately the range used for Meraki DHCP is not configurable.

Nash
Kind of a big deal

Just wanted to add to everything else, Meraki specific:

 

Update your RF profiles to ensure 5GHz isn't using the default 80 MHz channel width. Personal preference is to create some default RF profiles with explicit names like "Indoor 2.4 GHz + 5GHz 40MHz Channels". 

 

If you use custom profiles, you can then use the API to check what profile is applied to what AP.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels