OK, so I'm new to Meraki and finding that unlike Cisco there really don't seem to be any reference architectures like the Cisco validated designs. Is there such a thing for Meraki?
We are replacing a Cisco WLC system that is using an anchor controller to tunnel all guest traffic through the network and release them to the Internet at the DMZ. We want to replicate that design with Meraki. To that end, we purchased pairs (multiple DC's) of MX105's I intend to build as HA pairs in the DC's. Obviously some MR's as well.
Corp SSID clients will be released in their local wifi VLAN, and Guest SSID clients should be tunneled to the MX. My questions are many, and I will list some of them here:
MX physical connectivity: As I understand it the MX should be configured in a one-arm VPN concentrator mode. The MX will be located in the DC DMZ behind the edge FW. I know I will need the WAN ports connected and NAT on the edge FW to allow the MX (and MR's, which egress through the DC's rather than their branch site) to reach the dashboard and (as I understand it) the VPN registry server (or is VPN registry only for site-to-site VPN tunneling?). Should I also build an internal Mgmt connection, or is that un-needed? So, would the WAN ports only need to be in the VLAN that will provide the Guest clients their DHCP address (via DHCP relay)? Or, should my WAN ports live in a Mgmt VLAN for internal access AND have a tagged VLAN for the Guest clients? Or, should I configure LAN ports to connect to my Mgmt network and the WAN ports only for Guest tunneling? And, does it matter whether it's the LAN or WAN ports I provide NAT and a path out to the dashboard?
Another question regarding the VPN registry and behavior of the MX/MR. In the SSID tunneling document it describes the behavior between MX/MR from the remote-site SSID tunneling perspective, where they each traverse their own local FW's. In my case, the MX/MR will all be within the same routing domain, and there is a path between the two without a FW in between. I assume that the SSID tunnel and guest traffic *DOES NOT* hairpin at the edge FW, and that the tunnels are built across the inside network?
One more related question. In the branch office, do I need to carve out a local subnet for the guest clients? Or can I drop both Corp and Guest SSID's into the same VLAN, and then the Guest SSID clients would tunnel to the MX to pull their IP addresses? Would the Guest clients also have a local IP or only the IP handed out by the MX?
SSID tunnelling is not so common in Meraki deployments. Most companies use local Internet break out (since most companies are using SD-WAN over the Internet and have an MX with direct Internet access at each site).