Client VPN VLAN?

Solved
TBisel
Getting noticed

Client VPN VLAN?

Have some questions about the Client VPN hoping someone can clarify it up a bit for me. Is there anyway to classify it as a VLAN at all? We have non-Meraki L3 switches at a few sites and not entirely sure how to handle the VPN subnet. Don't want to start pruning VLANs on trunk ports and kill access for the Client VPN. I would like to give Client VPN access to one site that has site to site VPN access, without giving the Client VPN access to the entire organization, and limit it to only one or two IPs on the local network. Can I do that? Even with a L3 switch handling the routing?

1 Accepted Solution
Nash
Kind of a big deal

Okay, are you trying to get the client VPN to share the same subnet as a pre-existing VLAN? If so, that's not going to work.

 

Client VPN should be an entirely separate subnet from anything else on your network. The MX needs to either belong to the pre-existing VLAN or have a static route configured. That means at least two subnets: One for client VPN, one for the rest of your network.

 

It might help if you read some about how the MX handles routing: https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior

 

If you approach this as a "two subnets, communicating via router(s)" issue, then you're okay. If you try to handle this as pure layer 2, it's not going to work the way.

View solution in original post

7 Replies 7
Nash
Kind of a big deal

If I understand correctly, your MX will route between the client VPN subnet and whatever subnet(s) or routes the MX knows exist. 

 

You can use the firewall on the MX to restrict what internal access: https://documentation.meraki.com/MX/Client_VPN/Restricting_Client_VPN_access_using_Layer_3_firewall_...

TBisel
Getting noticed

But is there any way I can define this in the L3 switch as a VLAN? The case I am working on right now is this VPN needs to join a VLAN that is present on my switch network. But without a VLAN on the MX I feel that I am going to run into issues. Or am I going to need to have two subnets dedicated to this one function? (One for equipment on network and another for VPN)

Nash
Kind of a big deal

Okay, are you trying to get the client VPN to share the same subnet as a pre-existing VLAN? If so, that's not going to work.

 

Client VPN should be an entirely separate subnet from anything else on your network. The MX needs to either belong to the pre-existing VLAN or have a static route configured. That means at least two subnets: One for client VPN, one for the rest of your network.

 

It might help if you read some about how the MX handles routing: https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior

 

If you approach this as a "two subnets, communicating via router(s)" issue, then you're okay. If you try to handle this as pure layer 2, it's not going to work the way.

TBisel
Getting noticed

Yea I was trying to do it on the same subnet was hoping I would be able to make it work. Looks like Im not going to be able to. Thanks.

Given that you need at least two subnets: One for your LAN and one for Client VPN, I tried to create Vlans.

Sadly, I wasn't able to create a VLAN for the client VPN subnet so it can route through the LAN subnet.

 

2.jpg

Yea thats the boat I was in and hoping I could VLAN tag the Client VPN. Issue I have with doing this at one site is I am getting hundreds of dropped events an hour and want to limit the amount of work the MX is doing to try and limit that. Moved L3 switching to switch but looks like I can only do that to a limited scale.

Was just researching this exact question...  I think...

 

So if I have a VLAN and corresponding SSID set up for the management of my Sonos speakers and I want to be able to get on that SSID/VLAN comb from out of town and run the firmware update on my speakers, VPN wont let me do that, is that right? Like I couldn't use the VPN to act like Im on that SSID.... right? 

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels