Meraki

Community

Client VPN VLAN?

Solved
TBisel
Getting noticed
‎Apr 15 2019 9:13 AM
‎Apr 15 2019 9:13 AM

Client VPN VLAN?

Have some questions about the Client VPN hoping someone can clarify it up a bit for me. Is there anyway to classify it as a VLAN at all? We have non-Meraki L3 switches at a few sites and not entirely sure how to handle the VPN subnet. Don't want to start pruning VLANs on trunk ports and kill access for the Client VPN. I would like to give Client VPN access to one site that has site to site VPN access, without giving the Client VPN access to the entire organization, and limit it to only one or two IPs on the local network. Can I do that? Even with a L3 switch handling the routing?

0 Kudos
1 Accepted Solution
In response to TBisel
Nash
Kind of a big deal
‎Apr 15 2019 11:56 AM
‎Apr 15 2019 11:56 AM

Okay, are you trying to get the client VPN to share the same subnet as a pre-existing VLAN? If so, that's not going to work.

 

Client VPN should be an entirely separate subnet from anything else on your network. The MX needs to either belong to the pre-existing VLAN or have a static route configured. That means at least two subnets: One for client VPN, one for the rest of your network.

 

It might help if you read some about how the MX handles routing: https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior

 

If you approach this as a "two subnets, communicating via router(s)" issue, then you're okay. If you try to handle this as pure layer 2, it's not going to work the way.

Windows 10 Client VPN scripts: Makes life better!

View solution in original post

7 Replies 7
Nash
Kind of a big deal
‎Apr 15 2019 10:41 AM
‎Apr 15 2019 10:41 AM

If I understand correctly, your MX will route between the client VPN subnet and whatever subnet(s) or routes the MX knows exist. 

 

You can use the firewall on the MX to restrict what internal access: https://documentation.meraki.com/MX/Client_VPN/Restricting_Client_VPN_access_using_Layer_3_firewall_...

Windows 10 Client VPN scripts: Makes life better!
In response to Nash
TBisel
Getting noticed
‎Apr 15 2019 11:33 AM
‎Apr 15 2019 11:33 AM

But is there any way I can define this in the L3 switch as a VLAN? The case I am working on right now is this VPN needs to join a VLAN that is present on my switch network. But without a VLAN on the MX I feel that I am going to run into issues. Or am I going to need to have two subnets dedicated to this one function? (One for equipment on network and another for VPN)

0 Kudos
In response to TBisel
Nash
Kind of a big deal
‎Apr 15 2019 11:56 AM
‎Apr 15 2019 11:56 AM

Okay, are you trying to get the client VPN to share the same subnet as a pre-existing VLAN? If so, that's not going to work.

 

Client VPN should be an entirely separate subnet from anything else on your network. The MX needs to either belong to the pre-existing VLAN or have a static route configured. That means at least two subnets: One for client VPN, one for the rest of your network.

 

It might help if you read some about how the MX handles routing: https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior

 

If you approach this as a "two subnets, communicating via router(s)" issue, then you're okay. If you try to handle this as pure layer 2, it's not going to work the way.

Windows 10 Client VPN scripts: Makes life better!
In response to Nash
TBisel
Getting noticed
‎Apr 15 2019 12:21 PM
‎Apr 15 2019 12:21 PM

Yea I was trying to do it on the same subnet was hoping I would be able to make it work. Looks like Im not going to be able to. Thanks.

0 Kudos
In response to TBisel
dalmiroy2k
Getting noticed
‎Apr 15 2019 12:22 PM
‎Apr 15 2019 12:22 PM

Given that you need at least two subnets: One for your LAN and one for Client VPN, I tried to create Vlans.

Sadly, I wasn't able to create a VLAN for the client VPN subnet so it can route through the LAN subnet.

 

2.jpg

0 Kudos
In response to dalmiroy2k
TBisel
Getting noticed
‎Apr 15 2019 12:25 PM
‎Apr 15 2019 12:25 PM

Yea thats the boat I was in and hoping I could VLAN tag the Client VPN. Issue I have with doing this at one site is I am getting hundreds of dropped events an hour and want to limit the amount of work the MX is doing to try and limit that. Moved L3 switching to switch but looks like I can only do that to a limited scale.

0 Kudos
In response to TBisel
RumorConsumer
Head in the Cloud
‎Jan 23 2020 4:02 PM
‎Jan 23 2020 4:02 PM

Was just researching this exact question...  I think...

 

So if I have a VLAN and corresponding SSID set up for the management of my Sonos speakers and I want to be able to get on that SSID/VLAN comb from out of town and run the firmware update on my speakers, VPN wont let me do that, is that right? Like I couldn't use the VPN to act like Im on that SSID.... right? 

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.