Meraki

Community

Isolation mode (NAT with Meraki DHCP)

Flamer
Here to help
‎Mar 30 2020 4:10 PM
‎Mar 30 2020 4:10 PM

Isolation mode (NAT with Meraki DHCP)

Hi all,

 

I know this topic has been kicked around a few times already, but it seems there is no acceptable solution.

 

Generally we create 3 SSIDs - GUEST, BYOD, CORP. Guest and byod we want clients isolated and corp we want discover-able. But this seems not possible on Meraki.

 

I have a setup here where 3 device son the same network need to communicate with each other, the workaround I had to use was crate a new SSID and put one device in that which allowed me to get communication between two of the hosts working, but that is obviously not scalabale. 

 

I am wondering how corporates are dealing with devices like wireless printers, handheld scanners and P2P Skype calls?  Is there any other way to achieve this that I am not aware of, and if not is it on the road map?

0 Kudos
8 Replies 8
NolanHerring
Kind of a big deal
‎Mar 30 2020 4:20 PM
‎Mar 30 2020 4:20 PM

NAT MODE isn't designed for enterprise environments. It's for coffee shop type setups.
You want to use bridge-mode with VLANs
Nolan Herring | nolanwifi.com
TwitterLinkedIn
In response to NolanHerring
Flamer
Here to help
‎Mar 30 2020 4:39 PM
‎Mar 30 2020 4:39 PM

I see thank you.

 

So would I be right in assuming, the MX cannot act as a DHCP server in bridge mode and a dedicated server would be required?

0 Kudos
In response to Flamer
NolanHerring
Kind of a big deal
‎Mar 30 2020 5:30 PM
‎Mar 30 2020 5:30 PM

If you have an MX it can very much so become a DHCP server without any issues. That is the preferred design option, use the MX or L3 MS as your DHCP/gateway for the VLANs you create, and your SSID will tie into the VLAN via bridge-mode.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
In response to NolanHerring
Flamer
Here to help
‎Mar 30 2020 11:31 PM
‎Mar 30 2020 11:31 PM

Ok sounds like a better approach, will give it a try.

 

thanks

 

0 Kudos
Agus
Getting noticed
‎Mar 30 2020 9:12 PM
‎Mar 30 2020 9:12 PM

i think this better using vlan for separate other network, as i use i create vlan for production network, and let meraki dhcp use for guest and block unecessery network to network with firewall.

 

cmiw

 

thanks

0 Kudos
Felippe
Getting noticed
‎Mar 31 2020 8:03 AM
‎Mar 31 2020 8:03 AM

for guest i use meraki DHCP with Facebook login which i think it's best option especially for easy to use to customers 🙂 

0 Kudos
colinster
Getting noticed
‎Apr 2 2020 11:26 AM
‎Apr 2 2020 11:26 AM

Did your question get answered?

 

I'd start by making a list of all your types of devices and their requirements. 

 

Guest Devices - will guests ever need access to a printer? If not, Meraki DHCP + Firewall could work. Note that captive portal devices get assigned a weird policy and don't follow the MR L3 firewall rules, so you need an upstream firewall. Another option is to tunnel guest traffic to an MX, or simply put guests on a VLAN with a firewall that limits it. If you go with a VLAN, you'll need to implement the MR's isolation feature and firewall settings to prevent communication between devices on the same VLAN.

 

Employee BYO Devices - How do you want to handle these? You could use Meraki Trusted Access or Systems Manager Sentry for secure connectivity, it's pretty awesome. Or you can use your corporate credentials to login via 802.1x, but that's definitely a way to expose your unmanaged devices to potential honeypot attacks. Most users/devices will "leak" your enterprise credentials to any random access point that broadcasts nearby. If you educate users not to accept certificates from unknown WiFi access points, well who are we kidding! That's never going to happen. Use Trusted Access. The alternative is a BYOD WPA2-PSK network with splash page to authorize devices. If you want to do this all easily, try a add-on product like Splash Access (www.splashaccess.com) or any captive portal guest solution from Meraki's app store (https://apps.meraki.io/)

 

Employee Corporate Devices - You should be using EAP-TLS with certificate authentication if your security is important to you. But if not, go ahead use AD logins but at least configure your devices WiFi with Active Directory or Systems Manager or Trusted Access or some other MDM/EMM.

 

Handheld Scanners - Most scanners I know have strange WiFi requirements, you want to avoid a separate network for these devices, but it might come at a cost of roaming. Consider and TEST the impact of 11r and 11w before enabling. 

 

Printers - Please tell me you aren't using wireless printers. Sorry to be snarky, but please use ethernet for printers. Most of these devices are terrible at WiFi security.

Colin Lowenberg
wireless engineer and startup founder, formerly known as "the API guy", now I run a Furapi, the therapy dog service, and Lowenberg Labs, an IT consulting company.
In response to colinster
Flamer
Here to help
‎Apr 2 2020 2:06 PM
‎Apr 2 2020 2:06 PM

Hello,

 

thanks for the very informative reply!

 

Yes my question was answered thank you. My questions were more theory based, I work for a service provider who has a variety of clients (hospitals, retail, agriculture etc) so there is a fine balancing act between security and functionality. 

 

In my case (lab setup) the answer was to switch to bridge mode and use layer 3 and DHCP on the MX which is working well.

 

regards

 

 

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.