Meraki

Community

Tunneling multiple SSIDS, VPN concentrator

Solved
DavidTa
Comes here often
‎Sep 2 2021 9:39 PM
‎Sep 2 2021 9:39 PM

Tunneling multiple SSIDS, VPN concentrator

I want to be able to tunnel multiple SSIDs (3+) from several sites to a central concentrator.  At the concentrator I want these SSIDs to exit the router on an individual/separate VLAN.

Q1.  Am I correct in assuming that I cannot use one-armed/passthrough configuration and I must use Routed due to multiple SSIDs?

 

If using routed mode I configure the upstream/WAN interface as normal, and then I configure an IP interface per SSID for the downstream unencrypted traffic. 

Q2.  Is the IP subnet I configure on the MX the subnet of the hosts in this SSID (I notice the Meraki documentation shows a /30 subnet which suggest otherwise).

Q3.  Can I configure the DHCP for the SSID subnet on the MX or does it have to be on a downstream device (as per passthrough)?

Q4.  Is the gateway for the SSID subnet the MX or a separate downstream device?

0 Kudos
1 Accepted Solution
Bruce
Kind of a big deal
‎Sep 3 2021 3:23 AM
‎Sep 3 2021 3:23 AM

@DavidTa, have a read through what @ww posted, but specifically in regards to your questions…

 

Q1. No, you’re better of using VPN concentrator mode. Each SSID drops into a separate VLAN on the WAN1 port.

 

Q2. The subnet you configure on the MX WAN1 port just needs to be a /30. The WAN1 just has to have a IP address that is contactable from the management IP address of the APs.

 

Q3. You have to configure the DHCP on a downstream device. You can’t run the DHCP services on the MX as it’s a VPN concentrator.

 

Q4. The gateway for the SSID subnet is downstream from the MX. The link from the MX WAN1 port is a trunk with a VLAN for each of the SSIDs you’re ‘concentrating’.

 

Hope it makes a little more sense, but feel free to post anymore questions.

View solution in original post

5 Replies 5
ww
Kind of a big deal
Kind of a big deal
‎Sep 3 2021 1:15 AM
‎Sep 3 2021 1:15 AM

https://community.meraki.com/t5/Security-SD-WAN/VLAN-Config-on-Singled-Armed-concetrator-for-SSID-Tu...

 

one armed concentrator is recommended .

you need a dhcp server for that ssid at one armed concentrator (can not be the concentrator itself)

0 Kudos
Bruce
Kind of a big deal
‎Sep 3 2021 3:23 AM
‎Sep 3 2021 3:23 AM

@DavidTa, have a read through what @ww posted, but specifically in regards to your questions…

 

Q1. No, you’re better of using VPN concentrator mode. Each SSID drops into a separate VLAN on the WAN1 port.

 

Q2. The subnet you configure on the MX WAN1 port just needs to be a /30. The WAN1 just has to have a IP address that is contactable from the management IP address of the APs.

 

Q3. You have to configure the DHCP on a downstream device. You can’t run the DHCP services on the MX as it’s a VPN concentrator.

 

Q4. The gateway for the SSID subnet is downstream from the MX. The link from the MX WAN1 port is a trunk with a VLAN for each of the SSIDs you’re ‘concentrating’.

 

Hope it makes a little more sense, but feel free to post anymore questions.

In response to Bruce
DavidTa
Comes here often
‎Sep 5 2021 9:06 PM
‎Sep 5 2021 9:06 PM

Thanks for the response - I assumed as I could not configure or see VLANs on the Trunk (WAN1) the one armed concentrator was not feasible.  But the VLAN ID is specified at the AP end and then magic just happens..

0 Kudos
In response to DavidTa
KarstenI
Kind of a big deal
Kind of a big deal
‎Sep 5 2021 11:19 PM
‎Sep 5 2021 11:19 PM

@DavidTa wrote:

... and then magic just happens..

This is how it works ... 😉

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to DavidTa
whistleblower
Building a reputation
‎Sep 26 2023 8:59 AM
‎Sep 26 2023 8:59 AM

@Bruce using the WAN 1 as 802.1q trunk port is it therefore necessary too to define a specific VLAN-ID under the MX uplink settings or will the MX in 1-armed mode use that port as trunk with native/untagged VLAN-ID: 1 anyway?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.