Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX600 nat mode for AP concentrator

Chema-Spain
Getting noticed
‎Sep 19 2017 2:52 AM
‎Sep 19 2017 2:52 AM

MX600 nat mode for AP concentrator

Hi, were are deploying a Wireless solution for a nationwide restaurant chain customer in Spain. Around 600 sites.

 

We have from 2 to 4 Meraki APs at sites and we concentrate them all on a 2-unit Meraki MX600 cluster. Customer wireless guests are connected to our MPLS network and then we deliver their navigation traffic to BT Internet Service.

 

According to this deployment guide:

https://documentation.meraki.com/MX-Z/Deployment_Guides/Configuring_VPN_Concentrator_for_the_Data_Ce...

There are two possible options: VPN concentrator (one-armed internet1 port connection, lan port disconnected and no nat)
or NAT mode.

 

However, this other document:

https://documentation.meraki.com/MX-Z/Networks_and_Routing/Addressing_and_VLANs

says concentrator mode is deployed in passthru like a bridge between LAN (so it is used) and Internet ports.

 

So it seems to me that concentrator mode has 2 flavours. Am I right?

 

Can we deploy NAT model for AP's VPN concentrator, bridging between lan (from where traffic comes) and Internet1 ports? Internet1 addressing would be private for security purposes.

 

We have already applied this config in our lab and it seems to work fine for one AP site. I mean, both NAT model at MX600 side and
VPN tunnel to MX600 concentrator at AP side. Is this a supported topology from Meraki? I do not have this point clear even after reading your deployment guides.

 

We would also have to be sure it is appropiate in terms of scalability (specially in terms of max number of NAT entries on the MX600).

According to https://meraki.cisco.com/lib/pdf/meraki_whitepaper_mx_sizing_guide.pdf, this box would fit well as it supports 5000 VPN tunnels.

What would be nat session limit and nat timeout timer in this particular scenario?

 

Thanks for your support.

Regards.

0 Kudos
Subscribe
4 Replies 4
Chema-Spain
Getting noticed
‎Sep 19 2017 3:05 AM
‎Sep 19 2017 3:05 AM

Sorry I typed "bridging between LAN and Internet1 port" when I meant "routing between..."

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 19 2017 1:03 PM
‎Sep 19 2017 1:03 PM

I think nearly all of the options mentioned would work.

 

Take a read of this document, and search for "Layer 3 roaming with a concentrator" and the section after that one.

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/SSID_Modes_for_Client_IP_Assignme...

 

I suspect you will be wanting to use "Layer 3 roaming with a concentrator" mode.

0 Kudos
Subscribe
In response to PhilipDAth
Chema-Spain
Getting noticed
‎Sep 25 2017 6:25 AM
‎Sep 25 2017 6:25 AM

Thanks for your help.

 

Unfortunately, we need the MX's in NAT mode and according to your useful link Meraki states it is not supported when configuring L3 Roaming option on the AP profile:

 

"This configuration is designed for use with an MX in passthrough/concentrator mode, tunneling to an MX in NAT mode is not supported."

 

So we have finally decided to change our design, keeping the MX-600s nodes just as a L2 cluster FW and establishing the VPN tunnels from router to router in a hub and spoke DMVPN solution. This more classical approach ensures scalabitily would not be an issue.

 

We have successfully tested the MX600's as L2 FW cluster at our lab.

 

Thanks again for your help.

 

 

0 Kudos
Subscribe
In response to Chema-Spain
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 25 2017 11:27 AM
‎Sep 25 2017 11:27 AM

If you think the information I supplies was helpful it would be great if you could give me some Kudos.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.