Mutli-Tenant Office Building Config

C3SGInc
Getting noticed

Mutli-Tenant Office Building Config

Looking for suggestions.  I have a client that has a multi-tenant building.  They have Meraki everything, switches, access points and firewall.  They want to be able to isolate traffic between tenants for both wired and wireless with the least amount of intervention possible.  Note that there are too many individual clients to give each a separate SSID,

Ideas?

 

Thanks

25 Replies 25
WadeAlsup
A model citizen

Hi @C3SGInc

 

They could use Port Isolation on the switches and have SSIDs setup with Wireless Client Isolation. This would minimize trying to keep up with different VLan setups and isolate all traffic. This would also isolate traffic between devices if a single tenant has multiple devices that do need to communicate, however.  

 

Isolate Switch Ports     Isolate Wireless Clients


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
C3SGInc
Getting noticed

Can't really completely isolate then as it is not necessarily one tenant to one port.  Also, it appears there are some limitations to which ports and crossing stack boundaries.  Thanks for the idea though.  Never really considered that one.

PhilipDAth
Kind of a big deal
Kind of a big deal

Create a VLAN per client.  Make the default policy give access to nothing, or perhaps to just the Internet.

 

Then use group policy to assign the VLAN.  You can use one SSID using this approach.

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

C3SGInc
Getting noticed

With this solution they would need to create either individual user accounts or at least one account per tenant, correct?

PhilipDAth
Kind of a big deal
Kind of a big deal

>With this solution they would need to create either individual user accounts or at least one account per tenant, correct?

 

If this question was to me; no.  There would be no accounts.  You would simply assign the group policy in the dashboard to each machine the client has.

C3SGInc
Getting noticed

That would then require that every tine they brought in a new device, we would have to locate it and assign it to their specific GP?
PhilipDAth
Kind of a big deal
Kind of a big deal

Correct.

C3SGInc
Getting noticed

Okay, that is close to where I was thinking about going. But, I felt that I would create a user account for each tenant as assign the GP based on logon. That way they can get connected per tenant without management intervention. Maybe use VLANs on switch ports then assign VLAN per GP on the wireless.
Again, trying to keep hassle down for both the end users and the managers.
PhilipDAth
Kind of a big deal
Kind of a big deal

Or you sell each tenant their own Meraki stack ...

C3SGInc
Getting noticed

Haha, That would be a deal!
Thanks for your help.
Adam
Kind of a big deal

We have a similar setup.  We have separate /24 vlans for each tenant.  

Example:

Vlan 1 10.17.1.0/24

Vlan 2 10.17.2.0/24

 

Then in Security Appliance>Firewall we create a supernet rule for each tenant vlan preventing them from getting to all other tenant vlans.Capture.PNG

We also setup traffic shaping to limit each tenant subnet to a predefined amount of bandwidth.  ex/ 10M

 

The only thing this does not do is separate their traffic from a public IP perspective.  Would be nice if I could 1:1 NAT some public IPs from our Internet interface to their vlan interface but not possible that I've found. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
C3SGInc
Getting noticed

Adam, That is the same process I was thinking on the wired side.  Do you also have wireless?  If so, how are you overlaying that? 

Thanks

Adam
Kind of a big deal

We setup each port on the MX with the tenant vlan and deliver that port to their tenant suite via the home run.  Note we also provide DHCP from the MX.  That way in the tenant suite they can just connect their own switch, router AP etc or optionally we provide one of these 

https://www.amazon.com/gp/product/B002HAJQGA/ref=oh_aui_search_detailpage?ie=UTF8&psc=1

and these

https://www.amazon.com/gp/product/B004UBU8IE/ref=oh_aui_search_detailpage?ie=UTF8&psc=1

The AP above can be configured to just pass through the DHCP from the LAN

 

We played around with the idea of installing Meraki APs in the building and just doing SSIDs with their Vlan but ultimately decided not to since some tenants want to use their own hardware.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
MRCUR
Kind of a big deal

Have you considered using dedicated SSID's on the MR side but using tags to only broadcast the SSID's needed on each AP? This is how we accomplish this, but it's a very small office with only three to four tenants. 

MRCUR | CMNO #12
Uberseehandel
Kind of a big deal

Putting a MR 30H into each tenant's space would give them an AP and 4 Gb Ethernet ports which can be transparently isolated from other tenants, wired, and wireless.

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
C3SGInc
Getting noticed

Yes, but potentially too many tenants for the number of SSID's.
Uberseehandel
Kind of a big deal


@C3SGInc wrote:
Yes, but potentially too many tenants for the number of SSID's.

The SSID can be local to AP. So whilst there are x SSIDs, each tenant-SSID only exists on one AP. You can provide an overall isolated SSID for users away from their home AP/SSID.

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
C3SGInc
Getting noticed

The environment is such that there are shared resources like conference rooms, copy rooms, training room and etc. So they need to be able to move about.
One thought that I had was to use logons with group policy, but for some strange reason, Meraki does not support assigning GP to Meraki authenticated users.
Uberseehandel
Kind of a big deal

users away from their "home zone" can use common isolated SSIDs. Seriously it isn't rocket science.

Whenever one comes across enormously complicated WLAN designs, one knows that the underlying design has not been fully resolved.

For example, most of us have WIFi access from our ISP and Mobile providers, yet chose to use our own SSIDs when in our home zone. If I go to a remote part of the complex my test lab is in, I have WIFi access, and LTE access. A VPN client on the device does the rest.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
kevinl
Getting noticed

@Adam, curious about the exact mechanism that you use for the per-VLAN traffic shaping. Is that done by Group Policies, and Bandwidth -> Custom Bandwidth Limit? 

Then you use the Addressing & VLANs page on the MX to tie each VLAN to the relevant Group Policy? 

(I was thinking this might be a good answer to clients who complain that unlike classic Cisco Cats, the MS series switches do not have built-in bandwidth limiters so they can't shape bandwidth to what the tenant has paid for)

Thanks,

Kevin

MRCUR
Kind of a big deal

@kevinl If you are able to create a VLAN per-tenant, then what you describe would be your best bet as you can set all of the traffic shaping/firewall rules, etc. you need for each of them in a group policy and then assign that policy directly to the corresponding VLAN. 

MRCUR | CMNO #12
Adam
Kind of a big deal


@kevinl wrote:

@Adam, curious about the exact mechanism that you use for the per-VLAN traffic shaping. Is that done by Group Policies, and Bandwidth -> Custom Bandwidth Limit? 

Then you use the Addressing & VLANs page on the MX to tie each VLAN to the relevant Group Policy? 

(I was thinking this might be a good answer to clients who complain that unlike classic Cisco Cats, the MS series switches do not have built-in bandwidth limiters so they can't shape bandwidth to what the tenant has paid for)

Thanks,

Kevin


Hey Kevin, 

 

Here is the exact steps we use to setup a new tenant.

1.  Security Appliance>Addressing & VLANs and we setup a /24 VLAN.  For simplicity I try to make the third octet match the VLAN number.  Example 10.17.2.0/24 for VLAN 2.  MX IP 10.17.2.1

2.  Security Appliance>DHCP, I turn on DHCP and I usually set .1-.50 as reserved so they could assign any static IPs they need.  

3. Security Appliance>Firewall, I setup rules to block their subnet from talking to any other tenants.  You can supernet this depending on how your subnets are configured

4.  Security Appliance>Traffic Shaping, I setup a traffic shaping rule to limit their subnet to the bandwidth they subscribed to.  You can do this by setting custom expression "localnet:10.17.2.0/24" without the quotes and then specify the bandwidth

 

We now have Meraki APs in the building so next I go to 

Wireless>SSIDs and I configure an SSID and do bridge mode and tag it with their VLAN. 

 

Lastly I setup a physical port on the switch as access VLAN x.  This is the port going to their tenant suite(s).  From there they can connect a switch and hookup whatever ports needed and they'll get DHCP from the MX.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
kevinl
Getting noticed

Thanks @MRCUR and @Adam! That was very insightful 🙂 

 

I just wanted to mention something that might be worth checking out. Adam mentioned in 4.  Security Appliance>Traffic Shaping, shape the subnet and set the bandwidth there. In my experience, I have found that the UI is slightly misleading: it is actually per-CLIENT bandwidth, in the section with Rule #1, Rule #2 etc. where you specify the subnet. I made this mistake before, I thought it was x Mbps for the entire category of clients matched under the rule, so if I set 5Mbps, and had five clients, each would get 1Mbps. 

What actually happened was that the clients happily went along eating up all the bandwidth leaving me scratching my head as to why the traffic shaper wasn't working, until I found it was actually per-CLIENT: so if I set 5Mbps in that section, every client matched under the rule would get 5Mbps all to itself, and with a hundred clients competing for 100Mbps you can imagine how well that ended on my watch 😉 

Once I set it to 512Kbps, all the clients actually started to behave and the Internet utilization dropped tons.. 

The group policies appear to imply one bandwidth limit for all the clients, instead of per-client, however I haven't tested that. It would be great if Meraki could make this explicit and say per-client or per-policy: no substantial change needed, just a couple of words in the UI to reflect that. 

Let me know if you guys have tested this and what your experiences were!

Sailmarc
New here

Do you think this would work with public IP addresses (i.e. /32 subnets) to tenants so they could use a firewall of their own?

 

I am thinking the tenants might want to host and control their own services etc.

 

Thanks,

Marc

C3SGInc
Getting noticed

I would agree that would be an option.  In this case is was not identified as a need.  The ISP and bandwidth that they have is not what I would consider worthy of hosting anything, so a policy was put it place that any tenants that required inbound access beyond VPN would need to obtain that service on their own.

Get notified when there are additional replies to this discussion.