Meraki

Community

Using Meraki DHCP (NAT Mode)

Solved
KR7766
Here to help
‎Sep 9 2022 7:32 AM
‎Sep 9 2022 7:32 AM

Using Meraki DHCP (NAT Mode)

Hello Meraki Community!

 

I'm researching the possibility of using Meraki DHCP (NAT Mode) to provide client addressing for a new "Guest Wireless" SSID, and wondering if I could make it work (securely) in an environment where the guest traffic needs to be completely isolated from management traffic and traffic on other SSID's.

 

Based on what I've read, VLAN tagging is not allowed in NAT Mode, so my assumption is if I use NAT Mode for guest wireless, that traffic will end up on the native VLAN (which is currently my management VLAN). Using the native VLAN for guest traffic does not sound secure to me, so I'm wondering if it's even possible to completely isolate traffic on an SSID that uses NAT Mode. 

0 Kudos
1 Accepted Solution
Robthesoundguy
Here to help
‎Sep 9 2022 8:46 AM
‎Sep 9 2022 8:46 AM

While it's not as robust as VLAN's with ACL's at the switch level, there is a setting that will prevent wireless clients from accessing the LAN. Wireless -> Configure -> Firewall & Traffic Shaping. 

 

From there, choose your SSID on the drop-down. Under the heading of Block IPs and ports, you'll be able to change the layer 3 firewall rule policy to deny for access to local LAN. 

View solution in original post

4 Replies 4
Robthesoundguy
Here to help
‎Sep 9 2022 8:46 AM
‎Sep 9 2022 8:46 AM

While it's not as robust as VLAN's with ACL's at the switch level, there is a setting that will prevent wireless clients from accessing the LAN. Wireless -> Configure -> Firewall & Traffic Shaping. 

 

From there, choose your SSID on the drop-down. Under the heading of Block IPs and ports, you'll be able to change the layer 3 firewall rule policy to deny for access to local LAN. 

In response to Robthesoundguy
KR7766
Here to help
‎Sep 12 2022 6:45 AM
‎Sep 12 2022 6:45 AM

@Robthesoundguy. Thank you for explaining how to do this using the firewall functionality in the AP. This sounds like the best option without significant changes to the existing network configuration. 


0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
‎Sep 9 2022 10:19 AM
‎Sep 9 2022 10:19 AM

You can move your management-traffic to an alternate Management-VLAN and let the guest traffic flow native. On the switch port the native traffic gets tagged as needed:

https://documentation.meraki.com/MR/Other_Topics/Alternate_Management_Interface_on_MR_Devices

Only downside is that Dashboard-traffic is still mixed with guest-traffic.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
KR7766
Here to help
‎Sep 12 2022 6:47 AM
‎Sep 12 2022 6:47 AM

Thanks @KarstenI. I appreciate the information and link you provided!

0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.