Meraki

Community

Building segregated VLAN for Guest wifi

Naimro
Comes here often
‎May 12 2019 1:04 PM
‎May 12 2019 1:04 PM

Building segregated VLAN for Guest wifi

Hello all

 

We have 3 SSID's right and SSID#1 is for our internal network which is set up with our LAN network. SSID#2 is for our employees to have the internet on their personal devices and SSID#3 is Test.

Now we are trying to setup a new SSID by  segregating the new VLAN but before that we have to present the Concept to our Team as well.

 

can we help me with the possible best ways to implement this new setup please! 

 

From my Point of view this can be done by the Firewall policy only

 

any ideas?

 

thank in advance

 

 

0 Kudos
7 Replies 7
Uberseehandel
Kind of a big deal
‎May 12 2019 1:49 PM
‎May 12 2019 1:49 PM

Configuring Simple Guest and Internal Wireless Networks

 

is a good place to start

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
kYutobi
Kind of a big deal
‎May 13 2019 4:53 AM
‎May 13 2019 4:53 AM

You can just create an SSID and use Meraki DHCP which separates everything from your internal network? If you're just trying to have segregation it would be the simplest and fastest way to setup. You can try it on your "Test" SSID and see how it works.

Enthusiast
In response to kYutobi
Richard_W
A model citizen
‎May 13 2019 7:47 AM
‎May 13 2019 7:47 AM

Which is what we are doing, seems a good way to keep separation of church and state. 

In response to Richard_W
Nash
Kind of a big deal
‎May 13 2019 8:17 AM
‎May 13 2019 8:17 AM

Make sure you set the SSID firewall so that the guest wifi doesn't have access to your normal network. It can be easy to miss, even if you're following that doc.

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
In response to Nash
kYutobi
Kind of a big deal
‎May 13 2019 8:46 AM
‎May 13 2019 8:46 AM

As @Nash stated just check your "firewall and traffic shaping" rules for wifi and make sure this is set to Deny.

 

Capture.PNG

Enthusiast
0 Kudos
In response to kYutobi
Richard_W
A model citizen
‎May 13 2019 8:51 AM
‎May 13 2019 8:51 AM

Pretty straightforward me thought.

0 Kudos
In response to Richard_W
RubenG
Getting noticed
‎May 13 2019 12:52 PM
‎May 13 2019 12:52 PM

@Naimro 

 

You can do the above as everyone has stated. Set the Wireless SSID to Meraki DHCP and create the SSID that way. Meraki will do all the work for you and assign a subnet for the guests, you will not have any input as to what subnet you can use except that it will be in the Class A subnet of 10.0.0.0/8. This will not allow any communication within the members of this VLAN, but they will be allowed to talk to anything on your wired LAN if you permit, you can go into the SSID Firewall settings and edit its access as you require. Note that if you require the clients to have access to things such as a chromecast or apple tv for presentations this will probably not be a route for you.

 

Screen Shot 2019-05-13 at 12.36.42 PM.png

 

If you want more control then it will be a bit more work on your end. You can create the VLAN and restrict any local LAN access, or allow depending on your firewall settings. Utilizing this method will allow you to choose a more specific VLAN and add other devices to that VLAN that your Guests will require access to.

Here's an example to block a particular VLAN (this allows access within the VLAN but not to my local network):

Screen Shot 2019-05-13 at 12.43.05 PM.png

 

Furthermore, if you need to change the access of the wireless clients by denying specific content per your company policy. You can do that on a per SSID basis under "Firewall & traffic shaping" in Wireless section and it will work on that Guests SSID without affecting the rest of your network, if you do it on the "Security & SD-WAN" it will apply to your entire network traffic, not on a per SSID basis.

 

Basically, if you require more control and have to implement other devices into the Guest VLAN then I would recommend creating a VLAN for this Guest Network applying all firewall rules to segregate the traffic. 

Otherwise if you just require them to be on a segregated network without impacting your local network, go with the Meraki DHCP option, it's easy and simple to deploy and you can tie in additional layer 7 rules. 

Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.