Meraki

Community

Bridged DHCP of geographically distinct MR devices onto the same VLAN by SSID

smann233
Here to help
‎May 22 2024 12:18 PM
‎May 22 2024 12:18 PM

Bridged DHCP of geographically distinct MR devices onto the same VLAN by SSID

Hey all, I'm hoping for some advice on how to handle getting bridged mode DHCP setup for a specific SSID. This will require some context:

 

A new requirement has just come from our security vendor to enable deep packet inspection on our external firewall. Any device that isn't reporting for the DPI by having their security certificate installed will be blocked from external internet traffic. This isn't a problem for our company devices, but we maintain a guest Wi-Fi at all locations for our customers and non-company devices of our employees. For this to keep working, I'll need to have an exception for the guest Wi-Fi's subnet made to the DPI policy. Up until this point, we've been using the Meraki AP assigned (NAT mode) function for DHCP for this SSID, but we cannot allow-list the whole 10.0.0.0/8. So I'm looking to switch this to bridged mode, create a VLAN for the guest SSID, and have our DHCP server handle it. 

Here's where I'm starting to run into issues:

I've started working at my company within the last year and inherited an existing setup. We've got a mid-teens number of different business offices, each one has MR APs that are connected to MS switches & MX security devices. All locations are connected by a layer 2 EPL circuit that points back to our HQ office. 
On the Meraki dashboard, each geographic location is listed as its own network. However, instead of the MRs being assigned to those networks, they've all been added to a single "Wireless" network so the SSIDs could all be managed together. (The MS switches they're plugged into are all assigned to the geographic location networks.) After adjusting the DHCP server and creating/assigning the VLAN, the only APs that worked correctly were those at the HQ office - same location as the DHCP server. All other sites weren't able to reach it. I tried switching to Tunneled mode and using a wireless concentrator at the HQ office to the same effect. Connectivity test with that said the other APs couldn't reach the appliance at HQ. I confirmed they are able to ping it, at least. 

 

Ultimately, I know I could break this wireless network up and put the APs back onto each geographical network, then create a VLAN and subnet for each site for this guest traffic. I'd prefer not to have to do that if possible. Does anyone have any thoughts on how I could use a single VLAN for this, passing the requests back to our HQ site? And if it is the tunneled concentrator option, anything I might be overlooking in the setup that's causing it to fail?

Labels:
0 Kudos
3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 22 2024 12:31 PM
‎May 22 2024 12:31 PM

>we maintain a guest Wi-Fi at all locations for our customers and non-company devices of our employee

 

For clients I have operating in regulated sectors (such as finance, insurance and health care) I used a separate dedicated Internet circuit with a separate dedicated firewall for guest and staff mobile devices for each site (for any device in fact not company managed).  I tend to use low cost non-redundant Internet circuits because a loss of this service is just an annoyance rather than business critical - but it is up to each company how much they want to invest in this area.

 

I don't know if you are subject to regular security audits and penetration tests - but this is the cleanest way to address this use case.  The networks are then 100% layer 3 separated, running on seperate devices at layer 3.  You'll be surprised how fast a penetration tester (who wants the juicy bounty of compromising the internal network) gives up on this attack vector when they learn this.

 

I tend to get a weak push back initially from these kinds of customers, but they always come around to my approach as they can see how clean it is from a security perspective.

 

 

If the above is not palatable, you could consider using SSID tunneling.  This is where the SSID is tunneled (using AutoVPN) back to an MX appliance somewhere.  In your case, the tunnel would be over your EPL circuits.  Back at your HQ, you could create a new "guest DMZ" on the firewall, and put the MX into that.  Then tell the firewall not to do DPI on this DMZ.

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/SSID_Tunneling_and_Layer_3_Roamin...

 

 

Another option - many EPL services can transport multiple VLANs.  If your service can do this, you could just create an additional VLAN for guest traffic for each site, and simply run it over the existing EPL links.

smann233
Here to help
‎May 23 2024 6:35 AM
‎May 23 2024 6:35 AM

Thanks for the response! I definitely would like to move to full physical separation, but that's not in our budget. Hopefully I can get it added for our next annual. In the meantime, I'll look into the SSID tunneling and see if I can get it to work. Adding an MX appliance to act as a concentrator and manage it separately from the main network seems like a good idea. 

 

I see the MX64 is listed as recommended < 50 users. We usually maintain 50-70 connections on that SSID, but they're low traffic and typically short duration. Typically cell phones, personal devices, etc. Would the 64 have problems handling that kind of traffic? 

In response to smann233
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 23 2024 12:46 PM
‎May 23 2024 12:46 PM

Could you stretch to an MX67? It is only a little bit more expensive but much more powerful.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.