Skip to main content
Cisco Meraki

Configuring Simple Guest and Internal Wireless Networks

Many organizations require two wireless networks (formally known as SSIDs) for client access. In most cases, the desired end result is one SSID for internal users - a secure encrypted extension of the wired LAN - and a second SSID that provides Internet-only access to your guests with minimal administrative overhead. This article describes how to configure, name and enable each SSID so that each provides the proper level of access to connected clients. Consult the following whitepaper to learn more about Wireless Guest Access at the Office

Note: This configuration applies to MR Access Points only. For a similar configuration on the Z1 Teleworker Gateway and MX60W Security Appliance, see this page.

Name and Enable the 'Guest' and 'Internal' SSIDs

  1. In Dashboard, navigate to Wireless > Configure > SSIDs.
  2. For the Name section of each SSID, click the rename link.
  3. Enable and rename the Guest and Internal SSIDs appropriately. This is the name of the wireless network that clients will see in their list of available network connections.
  4. Click the Save Changes button.

Configure the 'Guest' SSID

  1. Navigate to Wireless > Configure > Access control.
  2. Select your guest network from the SSID drop-down menu.
  3. For Association requirements, choose Open (no encryption).
  4. For Splash page, choose None (direct access).
    Note: To configure a Click-through splash page to display a company logo or welcome message, see Enabling Click-through splash-page or Customizing the Splash page.
  5. Scroll down to the Addressing and traffic section of the page.
  6. Ensure that "NAT mode: Use Meraki DHCP" is selected. In NAT mode, Clients receive IP addresses in an isolated network. Clients cannot communicate with each other. See this article for more information on NAT mode.
  7. Click Save Changes at the bottom of the page.
  8. Navigate to the Configure > Firewall & traffic shaping page.
  9. Ensure that the Guest network is selected on the SSID drop-down menu at the top of the page.
  10. In the Layer 3 firewall rules section, select Deny from the drop-down menu for the rule labeled Wireless clients accessing LAN. More information on this setting is available in 'Deny Local LAN' settings in Cisco Meraki MR firewall.
  11. Scroll down to the Traffic shaping rules section and select a Per-client and/or Per-SSID bandwidth limit.
  12. Click Save Changes.


Configure the 'Internal' SSID

  1. Navigate to Configure > Access control.
  2. Select your guest network from the SSID drop down.
  3. For Association requirements, choose Pre-shared key with WPA2 and enter a key that Clients will use to connect to the network.
  4. For Splash page, choose None (direct access)
  5. Scroll down to the Addressing and traffic section of the page.
  6. Select "Bridge mode: Make clients part of the LAN". In Bridge mode, Meraki devices operate transparently (no NAT or DHCP). Clients receive DHCP leases from the LAN or use static IPs. See this article for more information on NAT mode versus Bridge mode.
  7. Click Save Changes at the bottom of the page.
  8. Navigate to the Configure > Firewall & traffic shaping page.
  9. Ensure that the Internal network is selected on the SSID drop-down menu at the top of the page.
  10. In the Layer 3 firewall rules section, make sure Allow is selected for the rule labeled Wireless clients accessing LAN.
  11. Click Save Changes

After these steps are complete, the AP's in your network will broadcast two different SSIDs. One network will allow Guest access to the Internet only, the other will allow Internal users to access the network through a secure extension of your wired LAN.