Looking for advice: How to transit through another organizations intranet securely

DR1
Getting noticed

Looking for advice: How to transit through another organizations intranet securely

Hello,

 

We are running a full-stack of Meraki equipment and have a challenge that after months of tests, I have yet to find an ideal solution for.

 

Our business has two physical locations inside of the same large building. Lets call them Office A and Office B.

Office A houses the MX appliance, and all intranet resources.

Office B is a remote office that needs high speed(1GbE access) to the resources in Office A.

 

This building is managed by another organization. We need to bridge our intranet securely between these two locations, however running our own physical cable is not possible or practical. This means passing through their infrastructure.

 

This other organization has given us a transparent link between the two locations that transits through Cisco Catalyst switches they manage.

They have from their side isolated us in our own VLAN so that we're able to broadcast DHCP in Office A, and pickup addresses from wall jacks in Office B (that are passing through their Cisco switches).

 

The above solution isn't suitable however. They are using significantly out of date iOS version on past EOL switches, and we have lost confidence is giving them this much trust. 

 

Our temporary solution is connecting to this other organizations wifi SSID and then connecting through our MX appliance via Client-to-Site VPN connections. This is really not optimal for all the obvious reasons

 

I have also tried configuring a Meraki Access Point in Office B with an SSID using the VPN concentration feature. This setup gives us all the 'green lights' that its working, however wireless devices connected to the SSID in Office B are blocked from intranet access. Probably because the Access Port in Office A is configured as 'port isolation: enabled', and the AP is not really doing a VPN connection to the MX because it believes its on the local network already and not at a remote site.

 

Short of purchasing another MX appliance, do we not have other options?

Is there a way to get the AP-to-MX VPN concentrator actually working, despite the physical topology?

Are there any encapsulation protocols I should be exploring?

Is there a way to get 802.1x based authentication working for multiple remote devices in Office B connecting to an Access Port in Office A, despite transiting over this other organizations infrastructure?

 

 

I was sure there was an easy solution to this. If anyone has suggestions or ideas, I'll try them.

 

Thank you

2 Replies 2
oldroo
Getting noticed

you have not mentioned if line of sight is possible, how far the "sites" are apart.

 

if there is line of site possible there are many non-meraki solutions (even if mounting something outside a window and mounted to external wall) from site to site. There are point to point wireless bridges, many many options.

 

Anyway if you are presented with a vlan as mentioned, i have not seen if meraki devices yet support dot q on q, i dont have end end meraki devices at home.

KarstenI
Kind of a big deal
Kind of a big deal

I would just put two Cisco Firepower 1120 in the two offices and run an IPsec VPN through the other organisations infrastructure. And if they provide you two ports you could also do redundancy.

Another solution would be (but I am pretty sure the other organisation can not provide the infrastructure for this) to put two Catalyst 3560-CX in both offices and protect the link with MacSec. This would work if they can provide you a "patched" link without any of their outdated switches in the connection.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.