Skip to main content
Cisco Meraki Documentation

Creating a Wireless Guest VLAN on a Z-series Teleworker Gateway or Wireless Security Appliance

The Z-series Teleworker Gateway and wireless capable MX Security Appliance models can simultaneously extend the corporate LAN into small home offices and provide secure Internet-only wireless access for in-home users. To isolate wireless guest or home traffic from the corporate LAN on the Teleworker Gateway or MX Security Appliance:  

  1. Configure Guest/Corporate VLANs.
  2. Tag the SSIDs with the appropriate VLAN.
  3. Configure firewall rules to block inter-VLAN traffic.

Configure Guest/Corporate VLANs

Configure at least two VLANs on the Security & SD-WAN/Teleworker gateway > Configure > Addressing & VLANs page under the Routing section after VLANs have been enabled.

corp and guest vlans.PNG

Tag the SSIDs with the Appropriate VLAN

  1. Enable and rename at least two SSIDs on Security & SD-WAN/Teleworker gateway > Configure > Wireless settings.
  2. Select the VLAN ID that will be associated with each SSID from the VLAN assignment drop-down and save settings. Multiple VLANs cannot be assigned to the same SSID, but the same VLAN can be applied to multiple SSIDs.

ssid mx wireless.PNG

Create Firewall Rules to Block Inter-VLAN Traffic 

  1. Go to Security & SD-WAN/Teleworker gateway > Configure > Firewall and click on the Add a rule button under the Outbound rules section to create two blank firewall rules.
  2. The Policy should be set to Deny, the Protocol should be Any, and the Source should be the subnet of one of the VLANs that has been created. Each rule will have a different source and those sources will then swap to become the Destination in the next rule. Add a Comment if clarification of the rule is needed.
  3. Rules may be added to allow for the use of certain servers and services, such as a printer, to be used from the guest network by putting in allow rules above the deny with the specific IP of the endpoint in mind.

new l3 firewall rules for mx z wireless separation.PNG

After all of this has been completed there will be at least two SSIDs, one of which grants access to the Internet alone while the other grants access to corporate servers and services. Complexity can be added to the firewall rules create exceptions for devices such as network printers or a DNS server.

  • Was this article helpful?