Re: Guest WiFi deployment considerations

JanStucki · ‎01-03-2025

Hello,

We wonder how to deploy Guest WiFi for particular location.

We are undergoing some changes and we need to provide Guest WiFi.

We have Meraki Access points connected to C2960X catalyst switches (L2) and distribution switch (L3) directly connected via transit VLAN to the ISP router (over L2 switch).

What will be the best approach to deploy Guest WiFi and how to secure it, any recommendations? Do we need to buy additional hardware (e.g. MX) and install it between ISP (public IP given) and C3850?

Thank you!

Karsten Iwen · ‎01-03-2025

You have no Firewall in this setup? This would be more a home office setup where security is handled by the ISP router. I would add a firewall like an MX and terminate the Guest VLAN directly on that firewall.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

CMR · ‎01-03-2025

Adding to what @Karsten Iwen said, create at least two VLANs on the MX, one for guests and one for employees and set the firewall rules so the guest VLAN can only talk out to the internet.

Alternatively set the guest SSID to use NAT mode on the APs and disable access to LAN IP addresses. This will however mean that each AP is its own network as far as the guest is concerned so the clients don't roam as quickly.

If my answer solves your problem please click Accept as Solution so others can benefit from it.

Philip D'Ath · ‎01-05-2025

https://documentation.meraki.com/MR/Wi-Fi_Basics_and_Best_Practices/Configuring_Simple_Guest_and_Internal_Wireless_Networks