Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is it possible to configure multiple VPNs for different client VLANs?

VitaliyV
Conversationalist
‎Aug 28 2020 3:18 PM
‎Aug 28 2020 3:18 PM

Is it possible to configure multiple VPNs for different client VLANs?

We are planning to use a Meraki MX90 appliance as our VPN gateway, but we need to set up separate client networks, so that each group of users could VPN only into their VLAN.

 

To clarify, we need to be able to do the following:

VPN user group 1 can access only VLAN 101 (192.168.101.0/24)

VPN user group 2 can access only VLAN 102 (192.168.102.0/24)

etc.

 

Is it possible to do this using Meraki infrastructure, and if so, how would I set this up?

0 Kudos
Subscribe
6 Replies 6
DarrenOC
Kind of a big deal
Kind of a big deal
‎Aug 28 2020 11:31 PM
‎Aug 28 2020 11:31 PM

Welcome to one of the many limitations of Meraki and their VPN functionality.

 

You won’t be able to achieve this design without multiple MXs as you can only have a single Client VPN subnet per MX.

 

Make a wish

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Subscribe
In response to DarrenOC
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Aug 29 2020 2:05 AM
‎Aug 29 2020 2:05 AM

This has been a hell of a showstopper for a lot of customer discussion about SD-WAN lately 😞

Subscribe
In response to CptnCrnch
DarrenOC
Kind of a big deal
Kind of a big deal
‎Aug 29 2020 4:15 AM
‎Aug 29 2020 4:15 AM

@CptnCrnch  It does make the conversation rather awkward. And don’t get me started on having to use the native windows VPN client.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Subscribe
Cain
Here to help
‎Aug 29 2020 2:41 AM
‎Aug 29 2020 2:41 AM

I think you should be able to achieve this with System manager MDM and a sentry policy.  But this becomes a device solution rather than a user solution.  For example if user x connects from their MDM enrolled iPad/PC then apply a sentry policy to assign them to a group that has VLAN x firewalled. 

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 30 2020 1:14 PM
‎Aug 30 2020 1:14 PM

It's not very clean you but need to create a group policy for each group of clients, and then configure firewall rules in that controlling what they can access.

 

Then after they VPN  in you assign that group policy to them.  We usually create the VPN account and then VPN in as that user to test it and then assign the group policy at that stage.

The group policy assignment then sticks each subsequent time they VPN in.

0 Kudos
Subscribe
In response to PhilipDAth
VitaliyV
Conversationalist
‎Aug 31 2020 1:44 PM
‎Aug 31 2020 1:44 PM

Could you elaborate on this solution. Are you using Meraki logins, or do you have another way to distinguish user groups? Are you doing the firewall configuration using the Meraki appliance, or elsewhere?

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.