Overview of setting up a work from home solution using Cisco Meraki

CN
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Overview of setting up a work from home solution using Cisco Meraki

Hi Community,

 

I hope that everyone is staying safe during these turbulent events happening. My name is Chase Nebeker. I'm a Senior Network Support Engineer here at Cisco Meraki. The goal of this post is to share some personal thoughts on how to set up a work from home solution using Cisco Meraki. There is already a lot of documentation out there for setting all of this up but I just wanted to consolidate all of the different pieces of information together into one document. 

 

Please let me know if you have any questions or feedback. Hopefully, we can help each other create a successful work from home so that we can all stay safe and socially distance appropriately. 

 

http://bit.ly/3di5u4a

I apologize for it just being a shared Google Doc. It was the best method I could come up with that would allow me to add more information. 

16 Replies 16
BlakeRichardson
Kind of a big deal
Kind of a big deal

Awesome thanks for sharing!

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
LAMNEK
Meraki Employee
Meraki Employee

Very informational document. I much appreciate your contribution to our community.
NolanHerring
Kind of a big deal

"The MX sizing guide has some helpful guidelines on how many Client VPN connections that can be supported on each platform. The MX67/MX68 it’s recommended that only 50 Client VPN connections be active at a time. The MX450 is able to handle about 300 clients."

The sizing guide states 1500 for this, not 300. Not sure if that is a typo or not.

Nolan Herring | nolanwifi.com
TwitterLinkedIn
BlakeRichardson
Kind of a big deal
Kind of a big deal

Good point @NolanHerring .  I think its almost worth there being a banner on the Meraki.com page which lists VPN information in an easy to find place including sizing and setup guides / videos. 

 

Many customers are scrambling to get remote access working. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
CptnCrnch
Kind of a big deal
Kind of a big deal

Sizing is definitely something that can have an impact with today‘s situation:

Something that has been tested for „usual“ road warriors sitting in airports, hotels etc. to read their emails or access internal systems are currently being replaced by dozens of people sitting in their (usually well equipped inet circuits running a lot of video conferencing and things like that).

 

So in a nutshell I feel like being really conservative with sizing details is a good idea nowadays.

NolanHerring
Kind of a big deal

I figured it was supposed to say 3000, since its the MX450 which is like what...tens of thousands of dollars after discount? 50 clients on an MX67 which is like 800 bucks, vs 300 clients on an MX450. Math don't add up lol. Sizing guide actually says it can handle 5000 max, and they recommend around 1500. If they recommended 3000 that would make more sense since its just a little over half the max. That is conservative to me =P
Nolan Herring | nolanwifi.com
TwitterLinkedIn
CN
Meraki Alumni (Retired)
Meraki Alumni (Retired)

With the MX450 I did lower it on purpose just with some real-world results that I've seen. For the MX67 I did not change from the sizing guide. I'll have to see if I can get some better numbers on these. 

Uberseehandel
Kind of a big deal

For those still going to work - TfL (London Transport) - is using leaky feeder technology to provide 4G coverage (all 4 major providers) on the underground. The pilot program is up and running on the Jubilee Line between Westminster and Canning Town, so usefully for commuters between Waterloo Railway Station and Canada Water.

 

How fast? 230 Mbps is a reality.

 

So I'm looking at wiring up some Lithium batteries, in series, and testing the Z3C whilst in the Underground tunnel. (aside how robust is the Z3C if the Amps are over spec?).

 

Lets hear it for leaky feeder tech!🤣

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
BlakeRichardson
Kind of a big deal
Kind of a big deal

Good luck @Uberseehandel  I just hope the London Metro police don't think your carrying some type of remore explosive!

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Uberseehandel
Kind of a big deal

@BlakeRichardson 

I'm taking a Z3C on the Jubilee line - not a BOOM Box!!!! 🤣 😇 🤡 💃 🕺 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
CN
Meraki Alumni (Retired)
Meraki Alumni (Retired)

I made some updates to the doc: Added section on “Manual NAT traversal”, moved and renamed “Disable auto-joining SSID on the client device”, moved and renamed “Meraki AutoVPN”, added sub-section “Client VPN connection”, and added section “Troubleshooting resources.”

DarrenOC
Kind of a big deal
Kind of a big deal

Good concise document with some good ideas. Worth mentioning integration with Umbrella to tighten security? Final question....when’s Anyconnect support coming for the MX’s?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
CN
Meraki Alumni (Retired)
Meraki Alumni (Retired)

A couple of days ago we made some tweaks to the layout of the Client VPN page. Most of these changes are straightforward, just helping provide guidance on the different options that are available. Also some FAQs of what might be going wrong. 

 

One thing that is really new is on the Network-wide > Clients page. I didn't realize it until someone pointed it out to me, so I thought I'd share. You can now filter for Client VPN connections. 

 

Screen Shot 2020-03-25 at 2.39.24 PM.png

NolanHerring
Kind of a big deal


@CN wrote:

A couple of days ago we made some tweaks to the layout of the Client VPN page. Most of these changes are straightforward, just helping provide guidance on the different options that are available. Also some FAQs of what might be going wrong. 

 

One thing that is really new is on the Network-wide > Clients page. I didn't realize it until someone pointed it out to me, so I thought I'd share. You can now filter for Client VPN connections. 

 

Screen Shot 2020-03-25 at 2.39.24 PM.png


 

 

 

 

 

 

 

Thanks @CN  - there have been at least 3 or 4 posts in the last several days specifically asking for a better options on viewing Client VPN connections, due to the boom in people working from home etc.  Not sure if what you guys have updated helps yet but I think one of the issues was being able to easily 'see' failed client connections, where as now I think they have to dig through syslog.

Nolan Herring | nolanwifi.com
TwitterLinkedIn
GIdenJoe
Kind of a big deal
Kind of a big deal

Heh, I didn't realize the is:client-vpn option was new.

I recently got the question from a customer to checkout the load on the MX due to the amount of VPN's.
So I prepared the solution by trying it out myself.

So I started with selecting only MX clients ( so I saw all up and downstream traffic of the MX of the selected timeperiod 2hours)
Then I filtered using the new is:client-vpn and found that the usage had a "matches up and down Mbps" area so with the graphic I now had a view of the last 2 hours of the traffic used of all VPN users.  Cool..

I have been getting alot of questions about the split tunnel, so this morning I looked at the Microsoft documentation and found the easiest fix is actually adding the VPN connection in Powershell using the AddVpnConnection command with the -SplitTunnel option and then adding another command AddVpnConnectionRoute which adds a static route to the specific to reach subnet.  And voila problem solved.

CN
Meraki Alumni (Retired)
Meraki Alumni (Retired)

A colleague of mine, @Joan_P just made a community post with some Youtube videos that he made about troubleshooting VPN. They include some great walkthroughs on how to troubleshoot VPN issues. I would highly encourage everyone to subscribe to his channel as he has some really great content. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.