SSID and AP network setup

Tomre
Conversationalist

SSID and AP network setup

Hello all, I currently have a production network with vpls between sites using cisco layer three routers. Internet ingress/egress is at the data center (on vpls node)

I have existing AP's and want to add all SSID tags to each - tagging to vl 5, 52, and 53

 

I am looking to route all vlan5 (tagged SSID) out the production network ( to the dc).

The new plan is to plug a local internet connection to the existing router, tag local AP SSID 52 and 53 and route out the local internet.

Looking for advise on where dhcp should come from - if on the router what the config should look like

- The port cfg where the internet is plugged into (i have static ip from isp)

- Th cfg port of the AP - believe to have this correct:

-     interface GigabitEthernet1/0/20
      switchport trunk allowed vlan 5,52,53
      switchport trunk encapsulation dot1q
      switchport mode trunk

Keep in mind i want to use production network to only traverse traffic on vl 52 and 53 and hit the local internet (guest) connection

 

The meraki is setup in bride mode, and im tagging the SSIDs

 

3 Replies 3
cmr
Kind of a big deal
Kind of a big deal

We had a somewhat similar setup and the way we did it was:

 

  • All SSIDs have a VLAN tagged on them, all are in bridged mode
  • Switchport config like your example
  • VLANs that want to simply go out to the internet, no VLAN interface on switches.
  • Firewall(MX/ASA) on internet connection connected to a port with those VLANs on it
  • Firewall runs DHCP for those VLANs
  • VLAN(s) that you want to go to DC get their DHCP from a local L3 device, either the WAN router, or in our case the L3 core switches at the site.
  • Port where WAN router is connected does not have local VLANs 52,53 on it, just 5
If my answer solves your problem please click Accept as Solution so others can benefit from it.
Tomre
Conversationalist

Thanks for the response. I was hoping to not use a firewall - since it is just guest (phones, tabs, etc). 

Is this acceptable or am I opening up our security too far by attempting this W/O firewall (really dont need to protect guest devices)

 

We currently have one AP direct to the cable modem and one on our production network.

Tomre
Conversationalist

Another note, planning to add these external circuits to cisco umbrella
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels