VPN clients subnet

hmc250000
Getting noticed

VPN clients subnet

Simple question. Can you use a subnet for VPN clients that is also used on the LAN interface of the MX?

So you are basically bridging and not routing. between VPN clients and the inside LAN. This was possible with Cisco ASA's.

 

I want to avoid having to waste an entire subnet.

 

Thanks.

 

7 REPLIES 7
BrandonS
Kind of a big deal

No, that wouldn't make sense to overlap or be the same.  It needs to be unique.

 

What do you mean waste a subnet?  There are over 16 million RFC1918 addresses you can slice up and subnet however you like.

- Ex community all-star (⌐⊙_⊙)
Paul_H
Meraki Employee
Meraki Employee

+1 @BrandonS !

 

Think of it as creating a new, fresh, logical separation between all your other subnets... and not wasting! O:) 

Is it possible to configure a DHCP relay (server resides on the inside LAN) for VPN clients?

BrandonS
Kind of a big deal

I don't think so.  Last I checked it assigns the addresses from the client VPN subnet dynamically and you can only set DNS and WINS.

- Ex community all-star (⌐⊙_⊙)

Nope. 

 

Client VPN is VERY basic and does just that. 

Now if you want to get FANCY and see where most of our work has been going... Check out using AnyConnect for Meraki MXs! 

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance

Interesting. We are a midsized company and sometimes require not so simple solutions to make things work globally.

 

Thanks.

The AnyConnect option looks awesome, just not for the reasons my search for a solution brought up this result, as our needs would be - like the original poster, I believe, be completely satisfied with a simple option to "use existing VLAN" for the remote client's VPN tunnel.

 

In our case, we have two separate WAN links to the branch site in question, but all of our employees that use client VPN connect to our main datacenter network to facilitate that need.  Most of the resources they need are located there, regardless of their de facto "home" office they are physically associated with, and the routing/mesh network afforded by the Meraki configuration provides them the ability to print to their respective branch should that need arise.  All very neat and easy to configure and support, which is one of the many reasons I love Meraki.

 

Where we run into an issue is that at some of these branches we have a separate industrial/PLC network that is supported by a 3rd party.  This 3rd party provides their own router/firewall, but ends up using a tertiary ISP that unfortunately eschews the load balancing and redundancy available from our MX.

 

As I compile options for improving the overall service and mean-time to resolution in regard to problems with that 3rd party's network, I see that if I could simply designate a small pool of addresses from the same VLAN/subnet used by this 3rd party network, I could kill all these birds with that one stone.  The requirement to segregate the client VPN subnet from an existing subnet is the sticking point here. 

 

If it's not precluded by some internal mechanism or design consideration that is hidden from view, it would be really convenient and welcome to have the option to allow it for use cases like ours.  By forcing me to route between two VLANs no matter what, I have to attempt to coordinate with a 3rd party that isn't super receptive to one-off configurations, and certainly not fantastically consistent in their documentation and retention of such configurations.  This ultimately results in the complication of future support efforts as they attempt to directly access those static IPs on the PLC network.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels