Can't really completely isolate then as it is not necessarily one tenant to one port.  Also, it appears there are some limitations to which ports and crossing stack boundaries.  Thanks for the idea though.  Never really considered that one.

With this solution they would need to create either individual user accounts or at least one account per tenant, correct?

>With this solution they would need to create either individual user accounts or at least one account per tenant, correct?

 

If this question was to me; no.  There would be no accounts.  You would simply assign the group policy in the dashboard to each machine the client has.

That would then require that every tine they brought in a new device, we would have to locate it and assign it to their specific GP?

Correct.

Okay, that is close to where I was thinking about going. But, I felt that I would create a user account for each tenant as assign the GP based on logon. That way they can get connected per tenant without management intervention. Maybe use VLANs on switch ports then assign VLAN per GP on the wireless.
Again, trying to keep hassle down for both the end users and the managers.

Or you sell each tenant their own Meraki stack ...

Haha, That would be a deal!
Thanks for your help.

We have a similar setup.  We have separate /24 vlans for each tenant.  

Example:

Vlan 1 10.17.1.0/24

Vlan 2 10.17.2.0/24

 

Then in Security Appliance>Firewall we create a supernet rule for each tenant vlan preventing them from getting to all other tenant vlans.

We also setup traffic shaping to limit each tenant subnet to a predefined amount of bandwidth.  ex/ 10M

 

The only thing this does not do is separate their traffic from a public IP perspective.  Would be nice if I could 1:1 NAT some public IPs from our Internet interface to their vlan interface but not possible that I've found. 

Adam, That is the same process I was thinking on the wired side.  Do you also have wireless?  If so, how are you overlaying that? 

Thanks

We setup each port on the MX with the tenant vlan and deliver that port to their tenant suite via the home run.  Note we also provide DHCP from the MX.  That way in the tenant suite they can just connect their own switch, router AP etc or optionally we provide one of these 

https://www.amazon.com/gp/product/B002HAJQGA/ref=oh_aui_search_detailpage?ie=UTF8&psc=1

and these

https://www.amazon.com/gp/product/B004UBU8IE/ref=oh_aui_search_detailpage?ie=UTF8&psc=1

The AP above can be configured to just pass through the DHCP from the LAN

 

We played around with the idea of installing Meraki APs in the building and just doing SSIDs with their Vlan but ultimately decided not to since some tenants want to use their own hardware.  

Have you considered using dedicated SSID's on the MR side but using tags to only broadcast the SSID's needed on each AP? This is how we accomplish this, but it's a very small office with only three to four tenants. 

Putting a MR 30H into each tenant's space would give them an AP and 4 Gb Ethernet ports which can be transparently isolated from other tenants, wired, and wireless.

 

Yes, but potentially too many tenants for the number of SSID's.

---

@C3SGInc wrote:
Yes, but potentially too many tenants for the number of SSID's.

---

The SSID can be local to AP. So whilst there are x SSIDs, each tenant-SSID only exists on one AP. You can provide an overall isolated SSID for users away from their home AP/SSID.

 

The environment is such that there are shared resources like conference rooms, copy rooms, training room and etc. So they need to be able to move about.
One thought that I had was to use logons with group policy, but for some strange reason, Meraki does not support assigning GP to Meraki authenticated users.

users away from their "home zone" can use common isolated SSIDs. Seriously it isn't rocket science.

Whenever one comes across enormously complicated WLAN designs, one knows that the underlying design has not been fully resolved.

For example, most of us have WIFi access from our ISP and Mobile providers, yet chose to use our own SSIDs when in our home zone. If I go to a remote part of the complex my test lab is in, I have WIFi access, and LTE access. A VPN client on the device does the rest.

@Adam, curious about the exact mechanism that you use for the per-VLAN traffic shaping. Is that done by Group Policies, and Bandwidth -> Custom Bandwidth Limit? 

Then you use the Addressing & VLANs page on the MX to tie each VLAN to the relevant Group Policy? 

(I was thinking this might be a good answer to clients who complain that unlike classic Cisco Cats, the MS series switches do not have built-in bandwidth limiters so they can't shape bandwidth to what the tenant has paid for)

Thanks,

Kevin

@kevinl If you are able to create a VLAN per-tenant, then what you describe would be your best bet as you can set all of the traffic shaping/firewall rules, etc. you need for each of them in a group policy and then assign that policy directly to the corresponding VLAN. 

---

@kevinl wrote:

@Adam, curious about the exact mechanism that you use for the per-VLAN traffic shaping. Is that done by Group Policies, and Bandwidth -> Custom Bandwidth Limit? 

Then you use the Addressing & VLANs page on the MX to tie each VLAN to the relevant Group Policy? 

(I was thinking this might be a good answer to clients who complain that unlike classic Cisco Cats, the MS series switches do not have built-in bandwidth limiters so they can't shape bandwidth to what the tenant has paid for)

Thanks,

Kevin

---

Hey Kevin, 

 

Here is the exact steps we use to setup a new tenant.

1.  Security Appliance>Addressing & VLANs and we setup a /24 VLAN.  For simplicity I try to make the third octet match the VLAN number.  Example 10.17.2.0/24 for VLAN 2.  MX IP 10.17.2.1

2.  Security Appliance>DHCP, I turn on DHCP and I usually set .1-.50 as reserved so they could assign any static IPs they need.  

3. Security Appliance>Firewall, I setup rules to block their subnet from talking to any other tenants.  You can supernet this depending on how your subnets are configured

4.  Security Appliance>Traffic Shaping, I setup a traffic shaping rule to limit their subnet to the bandwidth they subscribed to.  You can do this by setting custom expression "localnet:10.17.2.0/24" without the quotes and then specify the bandwidth

 

We now have Meraki APs in the building so next I go to 

Wireless>SSIDs and I configure an SSID and do bridge mode and tag it with their VLAN. 

 

Lastly I setup a physical port on the switch as access VLAN x.  This is the port going to their tenant suite(s).  From there they can connect a switch and hookup whatever ports needed and they'll get DHCP from the MX.  

Thanks @MRCUR and @Adam! That was very insightful 🙂 

 

I just wanted to mention something that might be worth checking out. Adam mentioned in 4.  Security Appliance>Traffic Shaping, shape the subnet and set the bandwidth there. In my experience, I have found that the UI is slightly misleading: it is actually per-CLIENT bandwidth, in the section with Rule #1, Rule #2 etc. where you specify the subnet. I made this mistake before, I thought it was x Mbps for the entire category of clients matched under the rule, so if I set 5Mbps, and had five clients, each would get 1Mbps. 

What actually happened was that the clients happily went along eating up all the bandwidth leaving me scratching my head as to why the traffic shaper wasn't working, until I found it was actually per-CLIENT: so if I set 5Mbps in that section, every client matched under the rule would get 5Mbps all to itself, and with a hundred clients competing for 100Mbps you can imagine how well that ended on my watch 😉 

Once I set it to 512Kbps, all the clients actually started to behave and the Internet utilization dropped tons.. 

The group policies appear to imply one bandwidth limit for all the clients, instead of per-client, however I haven't tested that. It would be great if Meraki could make this explicit and say per-client or per-policy: no substantial change needed, just a couple of words in the UI to reflect that. 

Let me know if you guys have tested this and what your experiences were!

Do you think this would work with public IP addresses (i.e. /32 subnets) to tenants so they could use a firewall of their own?

 

I am thinking the tenants might want to host and control their own services etc.

 

Thanks,

Marc

I would agree that would be an option.  In this case is was not identified as a need.  The ISP and bandwidth that they have is not what I would consider worthy of hosting anything, so a policy was put it place that any tenants that required inbound access beyond VPN would need to obtain that service on their own.