Hi, were are deploying a Wireless solution for a nationwide restaurant chain customer in Spain. Around 600 sites.
We have from 2 to 4 Meraki APs at sites and we concentrate them all on a 2-unit Meraki MX600 cluster. Customer wireless guests are connected to our MPLS network and then we deliver their navigation traffic to BT Internet Service.
According to this deployment guide:
There are two possible options: VPN concentrator (one-armed internet1 port connection, lan port disconnected and no nat)
or NAT mode.
However, this other document:
says concentrator mode is deployed in passthru like a bridge between LAN (so it is used) and Internet ports.
So it seems to me that concentrator mode has 2 flavours. Am I right?
Can we deploy NAT model for AP's VPN concentrator, bridging between lan (from where traffic comes) and Internet1 ports? Internet1 addressing would be private for security purposes.
We have already applied this config in our lab and it seems to work fine for one AP site. I mean, both NAT model at MX600 side and
VPN tunnel to MX600 concentrator at AP side. Is this a supported topology from Meraki? I do not have this point clear even after reading your deployment guides.
We would also have to be sure it is appropiate in terms of scalability (specially in terms of max number of NAT entries on the MX600).
According to https://meraki.cisco.com/lib/pdf/meraki_whitepaper_mx_sizing_guide.pdf, this box would fit well as it supports 5000 VPN tunnels.
What would be nat session limit and nat timeout timer in this particular scenario?
Thanks for your support.
I think nearly all of the options mentioned would work.
Take a read of this document, and search for "Layer 3 roaming with a concentrator" and the section after that one.
I suspect you will be wanting to use "Layer 3 roaming with a concentrator" mode.
Thanks for your help.
Unfortunately, we need the MX's in NAT mode and according to your useful link Meraki states it is not supported when configuring L3 Roaming option on the AP profile:
"This configuration is designed for use with an MX in passthrough/concentrator mode, tunneling to an MX in NAT mode is not supported."
So we have finally decided to change our design, keeping the MX-600s nodes just as a L2 cluster FW and establishing the VPN tunnels from router to router in a hub and spoke DMVPN solution. This more classical approach ensures scalabitily would not be an issue.
We have successfully tested the MX600's as L2 FW cluster at our lab.
Thanks again for your help.