How do I set Addressing and traffic to isolate endpoints and allow wireless printers/speakers?

Solved
AlainODeaSB
Conversationalist

How do I set Addressing and traffic to isolate endpoints and allow wireless printers/speakers?

I have laptops, wireless printers, and wireless speakers on my network.

 

I want to isolate the laptops from each other, but I want them to be able to print and set the music on the speakers.

 

This works with Addressing and traffic on all SSIDs set to Bridge mode: Make clients part of the LAN.

 

The printers and speakers are on SSID MyCompany-DevicesAddressing and traffic on this SSID is set to Bridge mode: Make clients part of the LAN.

 

The laptops are on SSID MyCompany-CorpAddressing and traffic on this SSID is set to Bridge mode: Make clients part of the LAN.

 

If I set Addressing and traffic on SSID MyCompany-Corp to NAT mode: Use Meraki DHCP, will the laptops still be able to access the printers and speakers on MyCompany-Devices?

 

How do I set Addressing and traffic to isolate endpoints and allow wireless printers/speakers?

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

I think I would use two SSIDs, one for client isolation and for for devices that are shared.  I would stick to using bridge mode.

 

You can read about client isolation here:

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Wireless_Client_Isolation

 

View solution in original post

6 Replies 6
kYutobi
Kind of a big deal

You can go to Wireless/ "Firewall and Traffic shaping" to allow the printers/speakers to communicate with network. Here is an example.

 

Capture.PNG

Enthusiast
AlainODeaSB
Conversationalist

@kYutobi thank you for the suggestion.

 

I tried a Layer 3 firewall rule with Allow Any Any Any. It didn't work. Based on conversations with support, comms from NAT clients will only work with wired devices as described here:

 

"but they may communicate with devices on the wired LAN if the SSID firewall settings permit." (emphasis mine)

RubenG
Getting noticed

@AlainODeaSB

Did you edit the firewall rules on the SSID? Wireless-> Firewall & Traffic Shaping
You need to make sure they are edited on the "MyCompany-Corp" SSID.

 

Do your printers and speakers need to be on the same subnet as the clients? Such as a Chromecast Audio.

 

If you do not want your Clients talking with each other on the "MyCompany-Corp" consider the following:
https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Wireless_Client_Isolation
You would enable the SSID as Bridge Mode and enable the Layer 2 isolation.

Per the DOcument:

"Any traffic bound for an address on the same VLAN as a device in client isolation will be denied. Traffic bound for other VLANs will be forwarded and routed normally."

 

AlainODeaSB
Conversationalist

The printer and speakers do not need to be on the same subnet, they just need to be reachable directly by their private IPs.

PhilipDAth
Kind of a big deal
Kind of a big deal

I think I would use two SSIDs, one for client isolation and for for devices that are shared.  I would stick to using bridge mode.

 

You can read about client isolation here:

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Wireless_Client_Isolation

 

kimhenriksen
New here

Should you be using the same vlan on those SSIDs? 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels