Meraki WiFi Best Practices for simple and secure SSID deployments.
One of the most common types of WiFi access deployments is to create at least two Wireless networks, in other words, an internal WiFi network for the company’s employees and another one for Guest Access. Although the process to create the networks is the same, there are some Meraki WiFi best practices you can implement to take advantage of Meraki’s wireless features.
All SSIDs are configured the same way, and there’s nothing special when it comes to configuring a Guest SSID. What makes the difference is the configuration settings that you apply to it.
You can watch the youtube tutorial here.
Let’s cover the basics.
Internal WiFi network. They are designed to provide access to internal resources such as servers, printers, shared drivers, etc; in other words, it’s simply an “extension” of the LAN. As you can imagine, you wouldn’t want unauthorized users accessing your internal network for all the administrative, security, and compliance reasons.
Guest WiFi network. You can create a Guest WiFi network to provide your visitors with internet access without allowing them to access the internal company resources. It’s part of Meraki WiFi best practices to segregate network access, and administrators can use different types of technical and administrative controls to ensure Guest Wifi users don’t have access to the corporate network and vice versa.
Are you a Cisco Meraki Shop? This article “5 Cisco Meraki to improve WiFi performance” may be useful to you.
Meraki WiFi Best Practices – Creating a Guest and Internal network.
Meraki makes it simple to create and deploy WiFi networks (SSIDs) from the dashboard management console. The process to create the SSIDs is the same regardless of their use. – Another good point to add to Meraki WiFi best practices – deploy no more than 3 SSIDs per Access Point.
- In Dashboard, navigate to Wireless > Configure > SSIDs.
2. For the Name section of each SSID, click the rename link.
3. Enable and rename the Guest and Internal SSIDs appropriately. This is the name of the wireless network that clients will see in their list of available network connections.
4. Click the Save Changes button.
Configure the Guest SSID settings – It’s the same process as any other SSID -.
- Navigate to Wireless > Configure > Access control.
2. Select your guest network from the SSID drop-down menu.
3. For Association requirements, choose Open (no encryption).
4. For the Splash page, choose Click-through (Users must view and acknowledge the splash page).
5. Select the captive portal strength settings (You can restrict all non-http traffic or not until splash page acknowledgment)
6. Scroll down to the Addressing and traffic section of the page.
7. Ensure that “NAT mode: Use Meraki DHCP” is selected. In NAT mode, Clients receive IP addresses in an isolated 10.0.0.0/8 network. Clients cannot communicate with each other. See this article for more information on NAT mode.
8. Click Save Changes at the bottom of the page.
9. Navigate to the Configure > Firewall & traffic shaping page.
10. Ensure that the Guest network is selected on the SSID drop-down menu at the top of the page.
11. In the Layer 3 firewall rules section, select Deny from the drop-down menu for the rule labeled Wireless clients accessing LAN.
12. Scroll down to the Traffic shaping rules section and select a Per-client and/or Per-SSID bandwidth limit.
13. Click Save Changes.
For more advanced Cisco Meraki WiFi best practices configuration settings check this article about configuring SSID VLAN with group policies.
Configure SSID for Internal Network. – Cisco Meraki WiFi services.
- Navigate to Configure > Access control.
2. Select your guest network from the SSID drop-down menu.
3 For Association requirements, choose the Pre-shared key with WPA2 and enter a key that Clients will use to connect to the network.
4. Scroll down to the Addressing and traffic section of the page.
5. Select “Bridge mode: Make clients part of the LAN”. In Bridge mode, Meraki devices operate transparently (no NAT or DHCP). Clients receive DHCP leases from the LAN or use static IPs. See this article for more information on NAT mode versus Bridge mode.
6. Click Save Changes at the bottom of the page.
7. Navigate to the Configure > Firewall & traffic shaping page.
8. Ensure that the Internal network is selected on the SSID drop-down menu at the top of the page.
9. In the Layer 3 firewall rules section, make sure Allow is selected for the rule labeled Wireless clients accessing LAN.
10. Click Save Changes
After these steps are complete, the AP’s in your network will broadcast two different SSIDs. One network will allow Guest access to the Internet only, the other will allow Internal users to access the network through a secure extension of your wired LAN.
Bonus: We always recommend deploying SSIDs only where required. This WiFi best practice has many benefits that directly impact the wireless network performance and may help you with your network security plan.
Multiple WiFi in the area? Another of the articles we’ve written about Meraki WiFi best practices is to plan WiFi channels allocation.
The purpose of this article is to show you how to create the most basic SSID deployments in business configurations. Meraki offers a multitude of options and settings to customize WiFi network access to your needs including different levels of authentication, security, routing, etc. that can be integrated with other services to improve overall network performance.
WiFi network deployments require proper planning, We are WiFi experts in NJ providing highly efficient, resilient, and cost-effective Wireless network solutions to businesses and organizations. Our strategic technical vision coupled with our WiFi, Network, and Cyber-Security experience allows us to deliver the right WiFi solution to your environment.
Contact us at [email protected], www.jdtechsolutions.net, or 888-580-4450 to learn more about our WiFi Solutions and Services.