Meraki

johno000 · ‎Mar 22 2018

Hi Guys

I have a hybrid switch setup with HP and cisco - native vlan is 1 and cannot change this. Vlan 1 is an uplink to the data MPLS that is the data circuit WAN separate to vlan 352 a internet breakout.

I have a guest internet facility over wifi and that works fine in a L2 bridge mode with the MR34's connecting via an access port to a vlan with 200mb internet backhaul, that is separate to my corp data. My merakis are currently plugged into vlan 352. Vlan 352 is a internet connection with dhcp provided to the meraki from the router.

I need to add corp-ssid and I have managed to get it working a test meraki with radius and NPS. This is in NAT mode and at the moment setup as a trunk port with a connection over vlan 330. vlan 330 is data for the org. As a trunk port and the management plane of the merakis are on vlan 1, thats works fine.

I can see that i can setup the meraki on native vlan 1 for the management plane of the device. So if I trunk the uplink port i can easily setup the corp-wifi on vlan 330 and tag the ssid. How do i deal with the guest wifi on vlan 352, i cannot tag this in the SSID page as it is a bridge mode and that doesn’t know about vlans.

So how do I deal with this? It seems like i cannot mix nat mode and bridge mode on the same AP's. Has anybody found a way around this issue?

I cannot put guest internet traffic over vlan 1 as this is low bandwidth and separate to the corp data.

PhilipDAth · ‎Mar 22 2018

You are correct, you can not mix NAT and bridge mode.

If VLAN352 only provides Internet then you should be able to just bridge the guest users onto this VLAN.

johno000 · ‎Mar 22 2018

Thanks - so do you mean separate out NAT and Bridged SSIDs onto separate WAPs?

That will get expensive.

MerakiDave · ‎Mar 22 2018

No, not separate WAPs, but you cannot have a hybrid NAT + Bridge mode on the same SSID. I think that was the question anyway. In NAT mode there is no VLAN tagging, commonly used for guests, and each client gets a seemingly random 10.x.x.x IP and is isolated from every other client automatically, and the AP is both the DHCP server and the NAT boundary. Sounds like your plan/requirement might be to run different SSIDs, each running in Bridge mode, and then you can enable VLAN tagging and set the VLAN ID as needed. You could do it on a single SSID as well, and you can then set a VLAN tag on a per-AP basis by tagging the APs in a specific way, but that method might bring you back to having different APs for different functions, which you wanted to avoid. Sounds like you'd need to run separate SSIDs in Bridge mode and specify the VLAN tag for each. Sorry if I misunderstood the question, let us know.

MRCUR · ‎Mar 22 2018

As @MerakiDave mentioned, you can accomplish this easily with two SSID's. One for guests, the other for corp users.

MRCUR | CMNO #12

johno000 · ‎Mar 22 2018

Thanks for a response.

My question is: how do I have one SSID in NAT mode for corp data and a guest SSID that is in bridged mode on the same wap, and how do I trunk this?

I cannot see how I do this? I was hoping that I had missed something. Any other way of accomplishing this. Other than doubling up on WAPs and separating out physically?

PhilipDAth · ‎Mar 22 2018

You can absolutely have one AP that has two SSIDs, one in NAT mode and one in bridge mode.

The NAT mode SSID uses the native VLAN on the trunk port on the switch that the AP connects to. So configure this on your switch.

Follow this guide to configure per-ssid VLAN tagging.

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/VLAN_Tagging_on_MR_Access_Points

Meraki

Community

Multiple SSID

Multiple SSID