Routing wireless clients to a private VLAN

Solved
velocitytech
Conversationalist

Routing wireless clients to a private VLAN

We are looking at implementing the following environment:

 

MX68 Appliance

3 MS120-48LP switches

12 MR36 APs

 

We have 40 private VLANs set for wired clients.  (Its a shared office environment with 40 individual tenants all with their own private VLAN.)  Is there a way to allow these clients the ability to access their own private VLAN(s) wirelessly while roaming between multiple APs if they are moving around the building?

 

In short:

 

Client one's network has a private VLAN (we'll say VLAN1) on the wired connection in the office, but they want to be able to access that private VLAN from any AP while connected wirelessly.

 

In our scenario there are 39 more clients with a private VLAN, all like Client one, that want to access their own private VLAN via wireless.

 

Can this be configured on the equipment listed above?  Maybe through Group Policy?  I see how to set a VLAN per SSID, or tag multiple VLANs to a SSID, but not sure how to allow the client to access them individually.

 

Thanks in advance!

1 Accepted Solution
Ryan_Miles
Meraki Employee
Meraki Employee

Perhaps use IPSK. You could define per client Group Policies which map the SSID to their private VLAN. Then on the common SSID use IPSK so each client has a unique non-shared/known PSK preventing them from accessing another users VLAN.

 

Assuming the 40 VLANs exist on the MX you'd also want firewall rules there to prevent VLAN to VLAN communications. 

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal

Under Wireless > Configure > Firewall & Traffic shaping change on SSID the rule to allow to clients be able to access  LAN.

 

alemabrahao_0-1675271902252.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
velocitytech
Conversationalist

Thanks. I can get them to access the LAN, but I need the ability to have them access their private VLAN (each user has a different VLAN on their wired connections to their offices) via wireless.  

Ryan_Miles
Meraki Employee
Meraki Employee

Perhaps use IPSK. You could define per client Group Policies which map the SSID to their private VLAN. Then on the common SSID use IPSK so each client has a unique non-shared/known PSK preventing them from accessing another users VLAN.

 

Assuming the 40 VLANs exist on the MX you'd also want firewall rules there to prevent VLAN to VLAN communications. 

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
velocitytech
Conversationalist

Thanks!  I think this may be the answer I am looking for.  Let me research a bit on it to make sure, but this looks like a great start!

alemabrahao
Kind of a big deal
Kind of a big deal

I got it, in my opinion it's the best option:

 

https://documentation.meraki.com/MR/Group_Policies_and_Block_Lists/Using_RADIUS_Attributes_to_Apply_...

But the options that @Ryan_Miles  suggested you is good to.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

Splash Access (a paid option) also has a brilliant "multi-dwelling" system.  It has a portal where clients can on-board their own WiFi devices, and it drops their devices into their own private VLAN automatically.

https://www.splashaccess.com/portfolio/mdusolution/ 

velocitytech
Conversationalist

True.  Splash Access is a great solution but a little overkill for this particular project.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels