Meraki

Community

L3 Roaming with concentrator

seabreeze
Comes here often
‎Nov 26 2018 12:17 PM
‎Nov 26 2018 12:17 PM

L3 Roaming with concentrator

Hello all,

We have a large network with many different buildings throughout the city and we would like to separate our GUEST WIFI from the STAFF WIFI, both going out different ISP’s. The MX firewall’s we have would only be used for the GUEST WIFI. I'll call ISP #1 (STAFF WIFI) and ISP #2 (GUEST WIFI). We would like the GUEST WIFI Clients to use the option on the SSID to Tunnel traffic to the MX concentrator, while STAFF WIFI just connects to the local LAN.

 

Since the MX Firewalls will only be at certain locations, how would we tunnel the GUEST WIFI traffic through our internal network to the MX? I created L3 VLANS on the MX, but I have questions on how to create the connection from the MX to the internal network.

 

Currently the AP's themselves are connected to a switchport that only allows 1 VLAN and that is for STAFF WIFI, those AP's have a public IP of ISP #1. The GUEST WIFI SSID users are now able to go out of ISP #2 but they get there by going out of the ISP #1 and back into ISP #2, to the MX and out again ISP #2. So it forms a tunnel from the AP to the MX through the internet. I don't want it to do that, I want the AP to be able to tunnel (Route) those GUEST WIFI clients to the MX internal and the MX would route them out the ISP #2.

 

Any suggestions on how to have GUEST WIFI traffic go internally to the MX using the option on that SSID to "Layer 3 roaming with a concentrator "?

Thnak you!

 

0 Kudos
7 Replies 7
NolanHerring
Kind of a big deal
‎Nov 26 2018 12:34 PM
‎Nov 26 2018 12:34 PM

Just to get some clarification here. You have an MX at each site or only a couple? If you had one at each site it would be easy to just put the MX on a dedicated non-routed VLAN and make it the gateway, and then the guest SSID would simply drop all traffic onto that VLAN and call it a day.

If your talking about an MX at different locations, then that would mean the guest traffic would have to traverse some sort of internal MPLS correct?
Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
In response to NolanHerring
seabreeze
Comes here often
‎Nov 26 2018 12:41 PM
‎Nov 26 2018 12:41 PM

Hi Nolan,

We don't have an MX at each location where there will be GUEST WIFI available. The GUEST ISP circuits are at a few different locations and I'm trying to figure out how to get the GUEST WIFI clients in the locations where there is no ISP to go through the LAN (route). I don't want to extend L2 VLANS all across the network.

Thanks for responding.

0 Kudos
In response to seabreeze
NolanHerring
Kind of a big deal
‎Nov 26 2018 1:16 PM
‎Nov 26 2018 1:16 PM

Ah ok. So the design your looking for is basically the tried and true cisco WLC/anchor deployment. I'm honestly not really certain how this would work as I believe the internet/outside interface on the MX is the one that is used for establishing tunnels, which means traversing the Internet.

Here are a few links I found that might be able to help fill in some of the gaps.

https://cantechit.com/2016/08/04/meraki-wireless-concentrator-tips-and-tricks/

https://community.meraki.com/t5/Wireless-LAN/Wireless-Concentrator-from-LAN/td-p/10421

https://documentation.meraki.com/MX/Networks_and_Routing/Passthrough_Mode_on_the_MX_Security_Applian...

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/SSID_Tunneling_and_Layer_3_Roamin...
Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
In response to NolanHerring
NolanHerring
Kind of a big deal
‎Nov 26 2018 1:17 PM
‎Nov 26 2018 1:17 PM

I'll tag @PhilipDAth also since he was originally on that other thread and might be able to provide some more insight as he was mentioning some sort of new feature with recent firmware versions (back then) that I'm not familiar with.

Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
In response to NolanHerring
seabreeze
Comes here often
‎Nov 26 2018 1:29 PM
‎Nov 26 2018 1:29 PM

Thank you, I'll take a look at those links.

0 Kudos
In response to seabreeze
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 26 2018 6:02 PM
‎Nov 26 2018 6:02 PM

You will want to use one-armed mode for the VPN concetrator.

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide#Appendix_1:_...

 

Alternatively, give the APs static IP addresses.  Use the SSID NAT mode to NAT the guest traffic to the AP lan IP.  Create a group on your firewall of all AP's, and a rule allowing them direct Internet access out.  Use the option on the firewalls to block access to the local LAN.

 

0 Kudos
In response to PhilipDAth
seabreeze
Comes here often
‎Nov 28 2018 1:57 PM
‎Nov 28 2018 1:57 PM

Hi PhillipDAth,

Thanks for your reply.

Too bad there is no way to direct the guest clients internally to the internal interface of the MX. The AP's IP's are static, if I choose the NAT option on the SSID and on the firewall to block access to the local lan, how would the AP send staff guest traffic out the other ISP?

 

The default gateway of the AP is on the staff network which will route staff users to the staff ISP. Since the MX does have LAN interfaces and I can create L3 IP's on it, I'm assuming there must be a way for the AP to send the guest traffic to the MX internally, which then the MX would send directly out the guest ISP, right?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.