Need help deciding which client tracking that I should use in my specific topology.

Solved
JacobD
Here to help

Need help deciding which client tracking that I should use in my specific topology.

Hi everyone,

 

I'm working on putting our HQ on Meraki. We have a few things happening in our topology so I will explain it here, so it could be long but I will try to keep it short.

 

We have about 90 remote branches, many of which have an MX and are VPNed into our HQ with our MX250 in our HQ (configured on HQ as Hub, all others as spokes). We also have around 5 MPLS locations (because of still active contracts) and I have the MPLS to our HQ connected to our MX250 (so all the MPLS networks are sent over the provider network and terminates on our MX250 to be routed where ever needed). We also have a NG-Firewall connected to the MX250 and some static routes on the MX250 for our server network, that way all spokes have a route to the HQ MX250 for the servers and the HQ MX250 just sends it on to the firewall. 

 

All this being said, we have 2 major points that has non-Meraki L3 devices: one being the MPLS connection, the other being the firewall and the server network. So we have clients appearing in the MX250 network from these other networks and the Meraki Network is configured for client tracking with IP Addresses, because that's what Meraki docs say to do in this situation. Until recently, our HQ Client network was not in Meraki, but also behind the firewall like the server network. We recently moved all the HQ L2 devices onto the MX250 (as the default router), so now our entire end-user client network is on Meraki, and to reach the server network they have to first go through the MX250 then is routed to the firewall, which currently works well.

 

I'm now in the process of changing out our old access points with Meraki as well. When I tried to add an MR to our HQ network, it gave me an error because of clients being tracked with IP addresses. So my question is: what do I need to do in this situation? Should I change the HQ MX250 client tracking to MAC, or will that break our MPLS and server network? Or should I just create a new dashboard network for our access points with client mac tracking? Would that even work with the default router being on another dashboard network?

 

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

Change to track clients by MAC address.

View solution in original post

5 Replies 5
BrechtSchamp
Kind of a big deal

I'm not sure what's the best way forward in your case maybe someone else has real world experience with this.

 

That said, purely from what I read in the docs (https://documentation.meraki.com/MX/Monitoring_and_Reporting/Client_Tracking_Options#Track_by_IP), you should be using Track by IP. But that means that you can't use combined networks.

 

A separate network for your APs will work just fine. It doesn't matter that the default gateway is in another dashboard network. If you want segmentation, have your APs in bridge mode, with VLANs specified for the SSIDs. And make sure that the necessary VLANs are present on the gateway and trunked towards the AP via the switch.

PhilipDAth
Kind of a big deal
Kind of a big deal

Change to track clients by MAC address.

JacobD
Here to help

Okay, and that won't mess up the clients coming in from other L3 devices? The MPLS clients get their internet from our Meraki, so they are essentially clients on the MX250.

PhilipDAth
Kind of a big deal
Kind of a big deal

>that won't mess up the clients coming in from other L3 devices

 

You'll loose the detail on them, as they will all appear to be coming from the MAC address of the L3 gateway.

JacobD
Here to help

Awesome, thanks for the help. I had already set up the new wireless only dashboard network just so I could get started, but I would definitely like to combined them, so I will do that then.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.