I've been using our Meraki MX64 for a while now as a router with a single VLAN.
I've got it configured so that unrecognized devices (by MAC address) is blocked and known devices is assigned a fixed IP and group policy. This works great.
I want to maintain the above functionality but add VPN access plus a second VLAN. Preferably only specific VPN users should have access to the second VLAN, while all VPN users should access the first VLAN.
I can try to figure this our by trail and error, but I would appreciate any help/pointers you can give me in advance. Any pitfalls I should be aware of?
For example: Is it possible to assign two IP's (one for each subnet) to one MAC address using DHCP?
Thank you in advance for any advice you can give me.
Solved! Go to solution.
Adding a second vlan is relatively trivial. Assuming the MX is the gateway for both subnets they can communicate between each other without issue. You can restrict this further with l3 firewall rules.
Client VPN by default can access all subnets.
You need to use L3 firewall rules if you want to restrict them to specific subnets.
Not sure I understand the use case of trying to assign multiple IP's to the one MAC address...
Adding a second vlan is relatively trivial. Assuming the MX is the gateway for both subnets they can communicate between each other without issue. You can restrict this further with l3 firewall rules.
Client VPN by default can access all subnets.
You need to use L3 firewall rules if you want to restrict them to specific subnets.
Not sure I understand the use case of trying to assign multiple IP's to the one MAC address...
Thanks this helps alot.
The second subnet is for accounting dept. However they require access to servers and printers that live in the first subent as well. Thus I give two IP's to each PC. Now that you mention it, with some reconfiguration, it might not be necessary to do it that way. I could move everything they need into their own subnet. I'll give it a go.
Right. Rather than giving multiple ip's to the PC's you can set up the accounting dept in vlan 2 and use L3 firewall rules to allow access to the printers and networks shares in the vlan 1 (even down to the specific ports required if you want)..
You can then add a rule afterwards to deny all other traffic from vlan 2 to vlan 1 (assuming that's what you want to do).
Note: the vlan numbers above are for illustrative purposes only. I don't encourage the use of vlan 1. 😜
Yes, this makes sense. It's a much better way of doing it.