cancel
Showing results for 
Search instead for 
Did you mean: 

AutoVPN in an MSP environment

SOLVED
Highlighted
Here to help

AutoVPN in an MSP environment

Hello!

 

I'm wondering how other MSP's use autoVPN and what challenges they have faced.

 

For an MSP placing multiple customers within the same organisation, there is a possible privacy / security issue.  Customer admins with full control of their network have visibility of all other networks that have autoVPN enabled.

 

If you create an organisation for each customer wanting to use AutoVPN, then you can't connect to a device that is outside the organisation.  We have several use cases where this is desirable.

1 ACCEPTED SOLUTION

Accepted Solutions
Head in the Cloud

Re: AutoVPN in an MSP environment

We're an MSP and we split customers out by organizations, even if they only have one Meraki device. This is not only for the ability for isolating Auto-VPN tunnels but also for splitting Licensing domains.

 

Effectively if you're an MSP and have all customers within the one organization I don't even want to know how you'd keep on top of licensing as Meraki uses a Weighted-co-termination model.

 

I'd definitely recommend using Organizations for each customer. It's not too late if you've already created multiple customers within an organization, you can engage Meraki support whom can split out the networks into their individual organizations.

 

 

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
7 REPLIES
Kind of a big deal

Re: AutoVPN in an MSP environment

I have always thought that it was strange that it operated that way as well.  We have certain networks that have specialty site-to-site VPN tunnels with vendors and the show up for all the other networks.  I currently just try to separate at the organization level as much as possible.  If they need to VPN to each other then not a huge deal that the config is visible in my case since we only allow limited access to the dashboard.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Here to help

Re: AutoVPN in an MSP environment

Well its probably not strange, but more appropriate for an Enterprise environment.

 

I want to be able to grant customers full access to their network when they request it.  So this is why it caught my attention.

 

In the case of autoVPN spanning organisations, this is about connecting both ourselves and other vendors to the customer network so we/they can support a product / service.  

 

Using IPsec is not always possible due to the nature of the customer Internet connection.  ie if they have an ISP that uses carrier grade NAT, or simply won't permit any kind of inbound connection to the customer.  Even then you have to port forward on a router that we have no control of.  To be avoided.

Kind of a big deal

Re: AutoVPN in an MSP environment

All the MSPs I work with (bar 1) use an organisation per customer.  This allows AutoVPN to work nicely.

 

The once that doesn't is a niche player in a specific market vertical, and it is combined with a software as a service offering, and the Meraki network exists to use that SaaS offering.

Here to help

Re: AutoVPN in an MSP environment

Hi Phil,

 

Are the MSP's still establishing a per customer organisation even when they only have a single Meraki device, or are all of them reasonably complex networks with multiple devices?

 

 

Kind of a big deal

Re: AutoVPN in an MSP environment

Yes, still using a separate organisation even when there is just a single device.

Head in the Cloud

Re: AutoVPN in an MSP environment

We're an MSP and we split customers out by organizations, even if they only have one Meraki device. This is not only for the ability for isolating Auto-VPN tunnels but also for splitting Licensing domains.

 

Effectively if you're an MSP and have all customers within the one organization I don't even want to know how you'd keep on top of licensing as Meraki uses a Weighted-co-termination model.

 

I'd definitely recommend using Organizations for each customer. It's not too late if you've already created multiple customers within an organization, you can engage Meraki support whom can split out the networks into their individual organizations.

 

 

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Here to help

Re: AutoVPN in an MSP environment

Thanks for the advice. No it’s not too late. That’s why we are asking the questions. 

 

We have a lab environment that we are using to understand how to best deploy.