cancel
Showing results for 
Search instead for 
Did you mean: 

Client VPN VLAN?

SOLVED
Getting noticed

Client VPN VLAN?

Have some questions about the Client VPN hoping someone can clarify it up a bit for me. Is there anyway to classify it as a VLAN at all? We have non-Meraki L3 switches at a few sites and not entirely sure how to handle the VPN subnet. Don't want to start pruning VLANs on trunk ports and kill access for the Client VPN. I would like to give Client VPN access to one site that has site to site VPN access, without giving the Client VPN access to the entire organization, and limit it to only one or two IPs on the local network. Can I do that? Even with a L3 switch handling the routing?

1 ACCEPTED SOLUTION

Accepted Solutions
Getting noticed

Re: Client VPN VLAN?

Okay, are you trying to get the client VPN to share the same subnet as a pre-existing VLAN? If so, that's not going to work.

 

Client VPN should be an entirely separate subnet from anything else on your network. The MX needs to either belong to the pre-existing VLAN or have a static route configured. That means at least two subnets: One for client VPN, one for the rest of your network.

 

It might help if you read some about how the MX handles routing: https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior

 

If you approach this as a "two subnets, communicating via router(s)" issue, then you're okay. If you try to handle this as pure layer 2, it's not going to work the way.

6 REPLIES 6
Getting noticed

Re: Client VPN VLAN?

If I understand correctly, your MX will route between the client VPN subnet and whatever subnet(s) or routes the MX knows exist. 

 

You can use the firewall on the MX to restrict what internal access: https://documentation.meraki.com/MX/Client_VPN/Restricting_Client_VPN_access_using_Layer_3_firewall_...

Getting noticed

Re: Client VPN VLAN?

But is there any way I can define this in the L3 switch as a VLAN? The case I am working on right now is this VPN needs to join a VLAN that is present on my switch network. But without a VLAN on the MX I feel that I am going to run into issues. Or am I going to need to have two subnets dedicated to this one function? (One for equipment on network and another for VPN)

Getting noticed

Re: Client VPN VLAN?

Okay, are you trying to get the client VPN to share the same subnet as a pre-existing VLAN? If so, that's not going to work.

 

Client VPN should be an entirely separate subnet from anything else on your network. The MX needs to either belong to the pre-existing VLAN or have a static route configured. That means at least two subnets: One for client VPN, one for the rest of your network.

 

It might help if you read some about how the MX handles routing: https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior

 

If you approach this as a "two subnets, communicating via router(s)" issue, then you're okay. If you try to handle this as pure layer 2, it's not going to work the way.

Getting noticed

Re: Client VPN VLAN?

Yea I was trying to do it on the same subnet was hoping I would be able to make it work. Looks like Im not going to be able to. Thanks.

Here to help

Re: Client VPN VLAN?

Given that you need at least two subnets: One for your LAN and one for Client VPN, I tried to create Vlans.

Sadly, I wasn't able to create a VLAN for the client VPN subnet so it can route through the LAN subnet.

 

2.jpg

Highlighted
Getting noticed

Re: Client VPN VLAN?

Yea thats the boat I was in and hoping I could VLAN tag the Client VPN. Issue I have with doing this at one site is I am getting hundreds of dropped events an hour and want to limit the amount of work the MX is doing to try and limit that. Moved L3 switching to switch but looks like I can only do that to a limited scale.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Points Contest
Join us for a month-long contest with heaps of swag to win!

Learn More ›