Skip to main content

 

Cisco Meraki Documentation

Configuring Simple Guest and Internal Wireless Networks

Many organizations require two wireless networks (formally known as SSIDs) for client access. In most cases, the desired end result is one SSID for internal users - a secure encrypted extension of the wired LAN - and a second SSID that provides Internet-only access to your guests with minimal administrative overhead. This article describes how to configure, name and enable each SSID so that each provides the proper level of access to connected clients. Consult the following whitepaper to learn more about Wireless Guest Access at the Office

Note: This configuration applies to MR Access Points only. For a similar configuration on the Z1 Teleworker Gateway and MX60W Security Appliance, see this page

Learn more with these free online training courses on the Meraki Learning Hub:

Sign in with your Cisco SSO or create a free account to start training.

Name and Enable the 'Guest' and 'Internal' SSIDs

  1. In Dashboard, navigate to Wireless > Configure > SSIDs.
  2. For the Name section of each SSID, click the rename link.
  3. Enable and rename the Guest and Internal SSIDs appropriately. This is the name of the wireless network that clients will see in their list of available network connections.
  4. Click the Save Changes button.This is the wireless network overview page that shows the list SSIDs in the network.

Configure the 'Guest' SSID

  1. Navigate to Wireless > Configure > Access control.
  2. Select your guest network from the SSID drop-down menu.
  3. For Association requirements, choose Open (no encryption).
    This is an image displaying the settings for SSID for a guest network.
  4. For Splash page, choose None (direct access).
    Note: To configure a Click-through splash page to display a company logo or welcome message, see Enabling Click-through splash-page or Customizing the Splash page.
    This image displays the Splash settings for the guest SSID.
  5. Scroll down to the Addressing and traffic section of the page.
  6. Ensure that "NAT mode: Use Meraki DHCP" is selected. In NAT mode, Clients receive IP addresses in an isolated 10.0.0.0/8 network. Clients cannot communicate with each other. See this article for more information on NAT mode.
    This image displays client IP address settings for the guest SSID.
  7. Click Save Changes at the bottom of the page.
  8. Navigate to the Configure > Firewall & traffic shaping page.
  9. Ensure that the Guest network is selected on the SSID drop-down menu at the top of the page.
  10. In the Layer 3 firewall rules section, select Deny from the drop-down menu for the rule labeled Wireless clients accessing LAN. More information on this setting is available in 'Deny Local LAN' settings in Cisco Meraki MR firewall.
    This image shows how to deny guest wireless traffic from communicating with other networks.
  11. Scroll down to the Traffic shaping rules section and select a Per-client and/or Per-SSID bandwidth limit.
  12. Click Save Changes.

       This image shows up how traffic shaping is configured per-client and/or per-SSID. This example shows 500Kbps and 2Mbps, respectively.

Configure the 'Internal' SSID

  1. Navigate to Configure > Access control.
  2. Select your guest network from the SSID drop down.
  3. For Association requirements, choose Pre-shared key with WPA2 and enter a key that Clients will use to connect to the network.
    This image displays the SSID's association requirements and settings. This example is shows WPA2 selected.
  4. For Splash page, choose None (direct access)
    This image displays the Splash settings for the guest SSID. This example shows "click through".
  5. Scroll down to the Addressing and traffic section of the page.
  6. Select "Bridge mode: Make clients part of the LAN". In Bridge mode, Meraki devices operate transparently (no NAT or DHCP). Clients receive DHCP leases from the LAN or use static IPs. See this article for more information on NAT mode versus Bridge mode.
    This is an image displaying client IP assignment configured as bridge mode.
  7. Click Save Changes at the bottom of the page.
  8. Navigate to the Configure > Firewall & traffic shaping page.
  9. Ensure that the Internal network is selected on the SSID drop-down menu at the top of the page.
  10. In the Layer 3 firewall rules section, make sure Allow is selected for the rule labeled Wireless clients accessing LAN.
    This image shows how to allow guest wireless traffic to communicate with other networks.
  11. Click Save Changes

After these steps are complete, the AP's in your network will broadcast two different SSIDs. One network will allow Guest access to the Internet only, the other will allow Internal users to access the network through a secure extension of your wired LAN.