Secure guest access in 3 steps

Segment guest traffic from the rest of your network with the Cisco Meraki wireless solution

It’s that time of year again. School has begun, and we thought it would be a great chance to review some of the wireless fundamentals by creating a secure guest SSID. But first, what are our goals when creating guest wireless on our networks? We want to segment guest traffic from secure traffic, segment guests from each other, and as a bonus, protect the rest of your network from guests getting carried away on YouTube. With the Cisco Meraki solution, we can accomplish each of these requirements with just a few steps:

1. Create a Guest SSID

First go to Wireless > SSIDs to create a new SSID. I’ve named mine, Meraki-Guest. Then toggle to enabled, and click save.

SSID_Config

Navigate to Wireless > Access control. Ensure the “Meraki-Guest” SSID is selected from the drop down menu.  Under Association requirements, select ‘Open’. Remember, we have users with no credentials connecting. If you prefer to give out a passcode to users, you can select “Pre-shared key with WPA2” here also.

Open_access

Next, we will select a splash page. I have chosen a click through splash page using a splash page provided by the dashboard (Wireless > Splash page to customize), but there are several other options: Sign on with SMS Authentication, or Sign on with Facebook WiFi are also popular choices.

Splash_page

2. Use NAT mode for assigning client IP addresses

Still on the Wireless >Access control page, we can select our Client IP assignment method. For guest access, we recommend using “NAT mode.” In this mode, the AP acts as the DHCP server and passes out an IP address from the 10.0.0.0/8 range. An added benefit of this method is that by default, the guests cannot see each other. However, guests can still potentially see traffic or internal resources upstream. Let’s take care of that next.

Nat_IP_assignment

3. Block local LAN traffic

Navigate to Wireless > Firewall & traffic shaping. Under “Layer 3 firewall rules” select “deny” for Local LAN traffic. This will ensure that any traffic destined for a Class A, B, or C private IP address is dropped right here at the AP. With this selected, the guest traffic is completely isolated from the LAN and guest can only access internet resources.

Layer3_fw_rules

BONUS. Apply layer 7 firewall and traffic shaping rules

But here, we can limit which internet resources guests are allowed to access, and at what speed. We can use Layer 7 firewall rules to completely block a certain type of traffic: here we have blocked all Peer-to-peer traffic such as BitTorrent and Kazzaa.

Layer7_fw_rules

If we don’t want to completely block an application, we can use traffic shaping rules to limit but not block certain types of traffic. Here, we have limited all Video and Music traffic, prioritized VoIP traffic, an set an overall bandwidth limit of 1Mbps per client.

TrafficShaping_rules

Choose between a variety of categories of predefined applications. A benefit of the cloud is that the application list is constantly being updated, and if you can’t find what you’re looking for, simply create your own custom traffic shaping rule by specifying a hostname, port, IP address, or subnet.

Custom_rule

And that’s it. Stay tuned for more configuration examples and as usual, keep us updated with what you’d like to see using the “make a wish” box at the bottom on every page in dashboard.