Meraki

Gordon · ‎Mar 21 2018

Is it possible to have multiple subnets for client VPNs?

I have a need for different access and permissions for different groups that VPN in. One is for a client and one is for our own employees. I want to be able to limit the client to be able to access one server only but I don't see how to do that with the MX.

Thanks, Gordon

MRCUR · ‎Mar 21 2018

You can only configure one subnet for client VPN. You can however create group policies and apply those to the clients.

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

MRCUR | CMNO #12

View solution in original post

Uberseehandel · ‎Mar 21 2018

I tried getting clever with CIDR super- and sub- netting. It wasn't allowed. I have changed my network architecture so I have options at all levels. Taking a leaf out of the banks' playbook after the last financial crash, I have bad bank and good bank, or rather bad network and good network. All the dodgy stuff is in bad network. Good network is secure and boring . . . bad network is out dancing all night.

Robin St.Clair | Principal, Caithness Analytics |

@uberseehandel

MRCUR · ‎Mar 21 2018

You can only configure one subnet for client VPN. You can however create group policies and apply those to the clients.

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

MRCUR | CMNO #12

PhilipDAth · ‎Mar 21 2018

@MRCUR are you sure you can apply group policies to client VPN users? I don't think this works ...

Gordon · ‎Mar 21 2018

The only way I can figure how to do it, is to assign them static IPs to use and then I can filter by them. Not the best option but this is for a client not general public.

MRCUR · ‎Mar 21 2018

@PhilipDAth I haven't personally done this, but I've seen it recommended on the community by others. The VPN clients show up in the network wide clients list, so this seems like it would be possible to me.

MRCUR | CMNO #12

PhilipDAth · ‎Mar 21 2018

Do this test for me please. Blacklist a VPN client, and then make sure they are blocked from everything.

mmmmmmark · ‎Mar 21 2018

I just tested with myself as a VPN client and was able to restrict my bandwidth to 1Mb up and down and blocked myself from the LAN. My phone is configured to connect to the VPN via Sentry so i'm not sure if that's part of why it works. It was a separate group policy that I applied to restrict my phone.

Mr_IT_Guy · ‎Mar 22 2018

Group policy on the VPN does work. We have authenticate via AD and have one of our groups that cannot access Facebook. When that user VPNs in, they follow that group policy and are continued from being blocked from Facebook.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)

Gordon · ‎Mar 22 2018

OK. So the answer is no, that there is not a way to have multiple subnets. I have looked at group policy and it is not going to work in our case for a number of reasons.

Thanks for the replies

Meraki

Community

vMX 100 multiple subnets

vMX 100 multiple subnets

vMX 100 multiple subnets

vmx azure anyconnect subnet

VPN subnet translation with an Azure vMX

vMX and Azure Firewall

vMX azure route problem