Setting up VPN with two VLANs/Subnets

SOLVED
ErnstTFD
Getting noticed

Setting up VPN with two VLANs/Subnets

I've been using our Meraki MX64 for a while now as a router with a single VLAN.

 

I've got it configured so that unrecognized devices (by MAC address) is blocked and known devices is assigned a fixed IP and group policy. This works great.

 

I want to maintain the above functionality but add VPN access plus a second VLAN. Preferably only specific VPN users should have access to the second VLAN, while all VPN users should access the first VLAN.

 

I can try to figure this our by trail and error, but I would appreciate any help/pointers you can give me in advance. Any pitfalls I should be aware of?

 

For example: Is it possible to assign two IP's (one for each subnet) to one MAC address using DHCP?

 

Thank you in advance for any advice you can give me.

1 ACCEPTED SOLUTION
Brash
Head in the Cloud

Adding a second vlan is relatively trivial. Assuming the MX is the gateway for both subnets they can communicate between each other without issue. You can restrict this further with l3 firewall rules.

 

Client VPN by default can access all subnets.

You need to use L3 firewall rules if you want to restrict them to specific subnets.

https://documentation.meraki.com/MX/Client_VPN/Restricting_Client_VPN_access_using_Layer_3_firewall_...

 

Not sure I understand the use case of trying to assign multiple IP's to the one MAC address...

View solution in original post

4 REPLIES 4
Brash
Head in the Cloud

Adding a second vlan is relatively trivial. Assuming the MX is the gateway for both subnets they can communicate between each other without issue. You can restrict this further with l3 firewall rules.

 

Client VPN by default can access all subnets.

You need to use L3 firewall rules if you want to restrict them to specific subnets.

https://documentation.meraki.com/MX/Client_VPN/Restricting_Client_VPN_access_using_Layer_3_firewall_...

 

Not sure I understand the use case of trying to assign multiple IP's to the one MAC address...

ErnstTFD
Getting noticed

Thanks this helps alot.

 

The second subnet is for accounting dept. However they require access to servers and printers that live in the first subent as well. Thus I give two IP's to each PC. Now that you mention it, with some reconfiguration, it might not be necessary to do it that way. I could move everything they need into their own subnet. I'll give it a go.

Brash
Head in the Cloud

Right. Rather than giving multiple ip's to the PC's you can set up the accounting dept in  vlan 2 and use L3 firewall rules to allow access to the printers and networks shares in the vlan 1  (even down to the specific ports required if you want)..

You can then add a rule afterwards to deny all other traffic from vlan 2 to vlan 1 (assuming that's what you want to do).

 

Note: the vlan numbers above are for illustrative purposes only. I don't encourage the use of vlan 1. 😜

ErnstTFD
Getting noticed

Yes, this makes sense. It's a much better way of doing it.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels