Meraki

Community

Security of MR Wireless DHCP/NAT

Alan0659
New here
Tuesday
Tuesday

Security of MR Wireless DHCP/NAT

We are fairly new to Meraki (Wireless - Mostly MR46).

 

Our previous wireless network (Cisco WLC), we had our guest network on a seperate VLAN (800).  The infrastruture gave the DHCP and the data went out a seperate interface on the firewall.

 

We are looking at using Meraki NAT/DHCP.  We have experimented with it and found some of our IOT devices which run on the guest network are not properly working since the firewall rules didn't know the source IP as it uses the AP's IP address.  We are willing to change the firewall rules to use the range of AP IP addresses for simplicity sake.

 

How secure is it to have guest traffic (beyond the IOT devices of course) traversing our production/secure network?  All of our APs are on the production network.  The firewall is one hop from the default gateway.  Is there any concern here?  Is there any documentation on how secure NAT/DHCP is?

 

I'm aware on how the devices are isolated and the "Firewall and traffic shaping" is set to deny any local lan.  If it denies local lan, how does it get to the firewall on the same network?  I see it working, but I'm wondering about that.

 

Thank you.

/Alan

Labels:
0 Kudos
5 Replies 5
cmr
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

With Meraki I've always done what you did before, but used a totally separate firewall for the public access.  The NAT option to me is for small sites that have 1-2 APs and no L3 core to speak of.  Is there a reason you want to use the NAT feature for your guest network?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
Alan0659
New here
Tuesday
Tuesday

Hi - 

 

The reason to use the NAT feature is we need to replace our guest DHCP 2012 server.  So one option is to replace the server and then continue to use our Guest VLAN.  The other option is to replace the guest DHCP server and use a DHCP relay on our firewall (there is no L3 on the guest network) and relay the DHCP request to our existing Domain Controller and add the Guest DHCP scope.

 

The reason to use the NAT feature is you just turn it on and it works easy peasy.  Hence my question about how secure is it as data would be traversing the same network as what the access points are on which is the production (secure) network.

 

For refernce, we will have 70 access points, mostly used for production.

0 Kudos
In response to Alan0659
cmr
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

If you are going through the firewall, why don't you use that as the DHCP server?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
Alan0659
New here
yesterday
yesterday

Our service provider (not ISP, they do Data Center, firewalls and other things).  Do not want to have DHCP on the firewall.  It is not best practice other than in a small site.

0 Kudos
In response to Alan0659
cmr
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Interesting, I've used it for sites issuing a few hundred concurrent IPs, but I can see if there are thousands of clients that it might not be a good idea.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.