Isolation mode (NAT with Meraki DHCP)

Flamer
Here to help

Isolation mode (NAT with Meraki DHCP)

Hi all,

 

I know this topic has been kicked around a few times already, but it seems there is no acceptable solution.

 

Generally we create 3 SSIDs - GUEST, BYOD, CORP. Guest and byod we want clients isolated and corp we want discover-able. But this seems not possible on Meraki.

 

I have a setup here where 3 device son the same network need to communicate with each other, the workaround I had to use was crate a new SSID and put one device in that which allowed me to get communication between two of the hosts working, but that is obviously not scalabale. 

 

I am wondering how corporates are dealing with devices like wireless printers, handheld scanners and P2P Skype calls?  Is there any other way to achieve this that I am not aware of, and if not is it on the road map?

8 Replies 8
NolanHerring
Kind of a big deal

NAT MODE isn't designed for enterprise environments. It's for coffee shop type setups.
You want to use bridge-mode with VLANs
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Flamer
Here to help

I see thank you.

 

So would I be right in assuming, the MX cannot act as a DHCP server in bridge mode and a dedicated server would be required?

NolanHerring
Kind of a big deal

If you have an MX it can very much so become a DHCP server without any issues. That is the preferred design option, use the MX or L3 MS as your DHCP/gateway for the VLANs you create, and your SSID will tie into the VLAN via bridge-mode.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Flamer
Here to help

Ok sounds like a better approach, will give it a try.

 

thanks

 

Agus
Getting noticed

i think this better using vlan for separate other network, as i use i create vlan for production network, and let meraki dhcp use for guest and block unecessery network to network with firewall.

 

cmiw

 

thanks

Felippe
Getting noticed

for guest i use meraki DHCP with Facebook login which i think it's best option especially for easy to use to customers 🙂 

colinster
Getting noticed

Did your question get answered?

 

I'd start by making a list of all your types of devices and their requirements. 

 

Guest Devices - will guests ever need access to a printer? If not, Meraki DHCP + Firewall could work. Note that captive portal devices get assigned a weird policy and don't follow the MR L3 firewall rules, so you need an upstream firewall. Another option is to tunnel guest traffic to an MX, or simply put guests on a VLAN with a firewall that limits it. If you go with a VLAN, you'll need to implement the MR's isolation feature and firewall settings to prevent communication between devices on the same VLAN.

 

Employee BYO Devices - How do you want to handle these? You could use Meraki Trusted Access or Systems Manager Sentry for secure connectivity, it's pretty awesome. Or you can use your corporate credentials to login via 802.1x, but that's definitely a way to expose your unmanaged devices to potential honeypot attacks. Most users/devices will "leak" your enterprise credentials to any random access point that broadcasts nearby. If you educate users not to accept certificates from unknown WiFi access points, well who are we kidding! That's never going to happen. Use Trusted Access. The alternative is a BYOD WPA2-PSK network with splash page to authorize devices. If you want to do this all easily, try a add-on product like Splash Access (www.splashaccess.com) or any captive portal guest solution from Meraki's app store (https://apps.meraki.io/)

 

Employee Corporate Devices - You should be using EAP-TLS with certificate authentication if your security is important to you. But if not, go ahead use AD logins but at least configure your devices WiFi with Active Directory or Systems Manager or Trusted Access or some other MDM/EMM.

 

Handheld Scanners - Most scanners I know have strange WiFi requirements, you want to avoid a separate network for these devices, but it might come at a cost of roaming. Consider and TEST the impact of 11r and 11w before enabling. 

 

Printers - Please tell me you aren't using wireless printers. Sorry to be snarky, but please use ethernet for printers. Most of these devices are terrible at WiFi security.

Colin Lowenberg
wireless engineer and startup founder, formerly known as "the API guy", now I run a Furapi, the therapy dog service, and Lowenberg Labs, an IT consulting company.
Flamer
Here to help

Hello,

 

thanks for the very informative reply!

 

Yes my question was answered thank you. My questions were more theory based, I work for a service provider who has a variety of clients (hospitals, retail, agriculture etc) so there is a fine balancing act between security and functionality. 

 

In my case (lab setup) the answer was to switch to bridge mode and use layer 3 and DHCP on the MX which is working well.

 

regards

 

 

 

Get notified when there are additional replies to this discussion.