MX as Wireless Concentrator and Auto-VPN Concentrator?

CCIE11129
Conversationalist

MX as Wireless Concentrator and Auto-VPN Concentrator?

I have an MX450 configured as a wireless concentrator (passthrough or VPN concentrator) with the Internet port connected to a switch on a VLAN that has the Meraki VIP and an L2 trunk port connected to a router with dot1Q sub-interfaces. Wilreless clients are placed into a VLAN via ISE policy or SSID policy and use the L2 trunk where that VLAN is allowed on the router side. This would not be a one-armed setup.

 

Would I be able to use this same MX450 in it's current passthrough or VPN concentrator mode to also terminate auto-VPN tunnels as a hub? Would the unencrypted VPN tunnel traffic just be routed back out the same port that the encrypted tunnel terminated on? This would be one-armed for VPN if it is possible. I'm thinking S2S VPN is not capable of having traffic placed in certain VLANs via policy matching the peer device (departmentA or departmentB).

 

If this is possible, I am considering multi-vrf with PbR on the attached Cisco switch to place the traffic in proper MPLS VPNs (VRFs) based on source IP of traffic from the remote location as the MX routes it back out unencrypted. I would assume wireless traffic would still be placed in the proper VLAN and work as it currently does out the L2 trunk port.

5 Replies 5
CCIE11129
Conversationalist

If this setup does work, are wireless capable MX or Z devices able to use the MX450 wireless concentrator like the APs do? If so, would it be able to do so through the VPN tunnel? Seems like it would need to use it's LAN side IP, and I'm not sure if that is possible.

AlexP
Meraki Employee
Meraki Employee

Yes, you can use both modes concurrently. It's not possible to tunnel Z3 or Wireless MX SSIDs the way you described in your other post, but an autoVPN tunnel will still function more or less identically.

Incidentally, internally-speaking, SSID tunneling and autoVPN function identically.

CCIE11129
Conversationalist

AlexP,

 

Thanks for the info.

 

With SSID tunneling, the traffic is placed in a VLAN either configured on the SSID or ISE policy. With Auto-VPN, I don't think you can place the tunneled traffic into a VLAN and assumed this is why the VPN concentrator would route the unencrypted traffic instead of bridging it. Can you confirm this is true?

 

Being able to use the MX or Z3 wireless through the VPN tunnel to a wireless concentrator (would be the same as the VPN concentrator in my case) would be nice.

 

Being able to put different remote locations in different VLANs at the DC would be nice, but not sure how routing would work in that situation. No VLAN assignment is why I am looking at Multi-VRF with PBR.

AlexP
Meraki Employee
Meraki Employee

Unfortunately, no you cannot source an exit VLAN for autoVPN beyond just tagging whatever traffic is egressing out the WAN port.

CCIE11129
Conversationalist

AlexP,

 

We use the top option under SSID to send traffic to our wireless concentrator. I always wondered what the difference was between the two options. Does the first one allow the VLAN assignment capability and the second on work like an AutoVPN tunnel where the concentrator would route it after decryption? Would these two options exist for an SSID on an MX or Z3? If so, couldn't a Site-to-Site tunnel for LAN traffic be built using AutoVPN and a wireless SSID be configured with the second option creating two VPN tunnels? Instead of using VLAN assignment to place wireless traffic into the correct MPLS VPN, the wireless traffic would be placed appropriately the same as the LAN traffic through the AutoVPN using Multi-VRF with PBR like I described? Don't think this would be a big deal since only one MX can be in a network and copying the SSIDs from another would be necessary anyway. Would just have to change from option 1 to option 2 after the copy.

 

 

  •  Layer 3 roaming with a concentrator
    Clients are tunneled to a specified VLAN at the concentrator. They will keep the same IP address when roaming between APs.
  •  VPN: tunnel data to a concentrator
    Meraki devices send traffic over a secure tunnel to an MX concentrator.
     
     
    Now that I think about it, the top option at one point was not encrypted, but now is. I know this because when encryption was turned on for the top option, our wireless throughput was drastically reduced. It went something like 300Mbs to 80mbs per user. We had this feature disabled behind the curtain by TAC. This is a network by network setting behind the curtain. I found that when I create a new network that it has encryption on all SSIDs by default. With that being the case. I think I can just use option 1 like I currently do and the MX would build a VPN tunnel for the wireless traffic and VLAN assignment would work the way it does for our internal APs, but with the benefit of encryption over the internet..
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels