Meraki

Community

Recommended AnyConnect VPN Subnet to Avoid Conflicts with Home Networks

Roey1984
Building a reputation
‎Apr 20 2025 5:36 AM
‎Apr 20 2025 5:36 AM

Recommended AnyConnect VPN Subnet to Avoid Conflicts with Home Networks

Hi everyone,

We're transitioning from L2TP/IPsec to Cisco AnyConnect VPN on our Meraki MX appliance, and I'm currently configuring the VPN client IP pool.

Initially, I considered using a subnet like 192.168.50.0/24 for AnyConnect clients, but I realized that this range is quite common for home routers and could potentially lead to IP conflicts when users connect from home.

 

My goal is to minimize or avoid subnet conflicts with residential/home networks, especially since we’re using full-tunnel routing (all traffic goes through VPN).

Question: Are there any recommended subnets (from the private ranges) that are rarely used in consumer routers and are considered “safe” for assigning to AnyConnect clients?

For example: 10.99.99.0/24 10.200.0.0/24 172.22.250.0/24 Are these good choices? Or are there Cisco best practices or reserved ranges for this scenario?

 

Appreciate any guidance!

Thanks, Roey

Labels:
0 Kudos
8 Replies 8
KarstenI
Kind of a big deal
Kind of a big deal
‎Apr 20 2025 7:58 AM
‎Apr 20 2025 7:58 AM

If you use something other than 192.168.0.0/16, you are pretty good here.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
Roey1984
Building a reputation
‎Apr 20 2025 8:54 AM
‎Apr 20 2025 8:54 AM

I understand.

So I might go with 172.16.1.0/24, I think it would be of, although some routers at peoples homes use it probably, but not sure about that

0 Kudos
In response to Roey1984
cmr
Kind of a big deal
Kind of a big deal
‎Apr 20 2025 2:29 PM
‎Apr 20 2025 2:29 PM

Honestly I'd go with something higher in the range.  Where private ranges are used it is most common to use 192.168.0/1.0/24, 172.16.0/1.0/24 or 10.1.1.0/24.  However as long as you avoid the low 192.168 ranges then most people should be fine.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
RaphaelL
Kind of a big deal
Kind of a big deal
‎Apr 20 2025 4:36 PM
‎Apr 20 2025 4:36 PM

I'm not sure to quite understand your concern about IP overlap / conflict. 

 

 

0 Kudos
In response to RaphaelL
Roey1984
Building a reputation
‎Apr 20 2025 10:27 PM
‎Apr 20 2025 10:27 PM

Thanks for the reply, RaphaelL 

To clarify what I meant — I’m concerned about situations where a user’s home network (e.g., their Wi-Fi router) is using the same IP subnet as the one assigned by the VPN.

Let’s say their home router uses 192.168.50.0/24, and we also assign IPs from 192.168.50.0/24 via AnyConnect. When that user connects to the VPN, their computer won’t be able to tell which 192.168.50.x IPs are local and which are remote. As a result:

Traffic intended for internal company resources might get routed to the local network instead

Some internal services may become unreachable

DNS resolution may work, but packets go to the wrong destination

 

Maybe I`ll just use the 172.16.0.0/24 range for the AnyConnect ?

0 Kudos
Pached
Here to help
‎Apr 21 2025 5:02 AM
‎Apr 21 2025 5:02 AM

Hey Roey,

The only way to guarantee no IP conflicts is to buy and assign a publicly subnet and route it internally which isn't realistic for most businesses. Alternatively, you can use a reserved block for free, I.e 7.0.0.0/8 is reserved for DOD, but this can lead to other problems in the future. I've setup VPNs in the high 10.x.x.x and rarely encountered IP conflict issues. 

 

Also, be aware that with full tunnel, local home printing and other home services won't be available to these clients while the VPN is connected 

 

 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 21 2025 11:56 AM
‎Apr 21 2025 11:56 AM

I think 192.168.50.0/24 is safe.  I have never seen a home router configured to use this range.

In response to PhilipDAth
Roey1984
Building a reputation
‎Apr 21 2025 11:48 PM
‎Apr 21 2025 11:48 PM

thank you!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.