Is it possible to configure multiple VPNs for different client VLANs?

VitaliyV
Conversationalist

Is it possible to configure multiple VPNs for different client VLANs?

We are planning to use a Meraki MX90 appliance as our VPN gateway, but we need to set up separate client networks, so that each group of users could VPN only into their VLAN.

 

To clarify, we need to be able to do the following:

VPN user group 1 can access only VLAN 101 (192.168.101.0/24)

VPN user group 2 can access only VLAN 102 (192.168.102.0/24)

etc.

 

Is it possible to do this using Meraki infrastructure, and if so, how would I set this up?

6 Replies 6
DarrenOC
Kind of a big deal
Kind of a big deal

Welcome to one of the many limitations of Meraki and their VPN functionality.

 

You won’t be able to achieve this design without multiple MXs as you can only have a single Client VPN subnet per MX.

 

Make a wish

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
CptnCrnch
Kind of a big deal
Kind of a big deal

This has been a hell of a showstopper for a lot of customer discussion about SD-WAN lately 😞

DarrenOC
Kind of a big deal
Kind of a big deal

@CptnCrnch  It does make the conversation rather awkward. And don’t get me started on having to use the native windows VPN client.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Cain
Here to help

I think you should be able to achieve this with System manager MDM and a sentry policy.  But this becomes a device solution rather than a user solution.  For example if user x connects from their MDM enrolled iPad/PC then apply a sentry policy to assign them to a group that has VLAN x firewalled. 

PhilipDAth
Kind of a big deal
Kind of a big deal

It's not very clean you but need to create a group policy for each group of clients, and then configure firewall rules in that controlling what they can access.

 

Then after they VPN  in you assign that group policy to them.  We usually create the VPN account and then VPN in as that user to test it and then assign the group policy at that stage.

The group policy assignment then sticks each subsequent time they VPN in.

VitaliyV
Conversationalist

Could you elaborate on this solution. Are you using Meraki logins, or do you have another way to distinguish user groups? Are you doing the firewall configuration using the Meraki appliance, or elsewhere?

Get notified when there are additional replies to this discussion.