Tunneling multiple SSIDS, VPN concentrator

Solved
DavidTa
Comes here often

Tunneling multiple SSIDS, VPN concentrator

I want to be able to tunnel multiple SSIDs (3+) from several sites to a central concentrator.  At the concentrator I want these SSIDs to exit the router on an individual/separate VLAN.

Q1.  Am I correct in assuming that I cannot use one-armed/passthrough configuration and I must use Routed due to multiple SSIDs?

 

If using routed mode I configure the upstream/WAN interface as normal, and then I configure an IP interface per SSID for the downstream unencrypted traffic. 

Q2.  Is the IP subnet I configure on the MX the subnet of the hosts in this SSID (I notice the Meraki documentation shows a /30 subnet which suggest otherwise).

Q3.  Can I configure the DHCP for the SSID subnet on the MX or does it have to be on a downstream device (as per passthrough)?

Q4.  Is the gateway for the SSID subnet the MX or a separate downstream device?

1 Accepted Solution
Bruce
Kind of a big deal

@DavidTa, have a read through what @ww posted, but specifically in regards to your questions…

 

Q1. No, you’re better of using VPN concentrator mode. Each SSID drops into a separate VLAN on the WAN1 port.

 

Q2. The subnet you configure on the MX WAN1 port just needs to be a /30. The WAN1 just has to have a IP address that is contactable from the management IP address of the APs.

 

Q3. You have to configure the DHCP on a downstream device. You can’t run the DHCP services on the MX as it’s a VPN concentrator.

 

Q4. The gateway for the SSID subnet is downstream from the MX. The link from the MX WAN1 port is a trunk with a VLAN for each of the SSIDs you’re ‘concentrating’.

 

Hope it makes a little more sense, but feel free to post anymore questions.

View solution in original post

5 Replies 5
ww
Kind of a big deal
Kind of a big deal

https://community.meraki.com/t5/Security-SD-WAN/VLAN-Config-on-Singled-Armed-concetrator-for-SSID-Tu...

 

one armed concentrator is recommended .

you need a dhcp server for that ssid at one armed concentrator (can not be the concentrator itself)

Bruce
Kind of a big deal

@DavidTa, have a read through what @ww posted, but specifically in regards to your questions…

 

Q1. No, you’re better of using VPN concentrator mode. Each SSID drops into a separate VLAN on the WAN1 port.

 

Q2. The subnet you configure on the MX WAN1 port just needs to be a /30. The WAN1 just has to have a IP address that is contactable from the management IP address of the APs.

 

Q3. You have to configure the DHCP on a downstream device. You can’t run the DHCP services on the MX as it’s a VPN concentrator.

 

Q4. The gateway for the SSID subnet is downstream from the MX. The link from the MX WAN1 port is a trunk with a VLAN for each of the SSIDs you’re ‘concentrating’.

 

Hope it makes a little more sense, but feel free to post anymore questions.

DavidTa
Comes here often

Thanks for the response - I assumed as I could not configure or see VLANs on the Trunk (WAN1) the one armed concentrator was not feasible.  But the VLAN ID is specified at the AP end and then magic just happens..

KarstenI
Kind of a big deal
Kind of a big deal


@DavidTa wrote:

... and then magic just happens..


This is how it works ... 😉

whistleblower
Building a reputation

@Bruce using the WAN 1 as 802.1q trunk port is it therefore necessary too to define a specific VLAN-ID under the MX uplink settings or will the MX in 1-armed mode use that port as trunk with native/untagged VLAN-ID: 1 anyway?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels