Z3 Lan Port Configuration for non-vpn personal device

Maximiliano
Here to help

Z3 Lan Port Configuration for non-vpn personal device

My current scenario: Z3 device is in my bedroom where I have 2 devices connected to LAN ports and access my office network via autovpn.  I have a personal PC that mainly is used by my wife in the same room and does not have wifi capability. My ISP Modem is in the living room and I previously ran a Cat5e cable and installed a port in my bedroom that connects the Z3 to WAN via ISP Modem.

 

I could run an additional data cable just for the one PC that I don't want connected to my VPN network, but I was trying to see if I could create a separate VLAN and configure a port on my Z3 device that would provide pass through internet only.  I was looking at creating a separate VLAN that is not in VPN mode and would keep all traffic from the PC to the WAN separate from the VPN to my office. My biggest concern is security of course with my wife not being very savvy when it comes to computers or internet safety and I want to keep that PC completely isolated from the other devices connected to the Z3 and of course the VPN back to the office.

 

Any tips, advice, or concerns for trying to do this?  

 

Follow up question: Do you Z3 users typically configure a separate VLAN for VPN vs. External Internet usage? 

1 Reply 1
Brash
Kind of a big deal
Kind of a big deal

You're spot on. The general process would be:

- Create new vlan

- Exclude the new vlan from site-to-site VPN

- Create L3 firewall rules blocking communication from the new vlan to your existing one.

This can be any explicit deny rule with the source of the new subnet and a destination of the existing one, or simple a rule denying all 3 private IP ranges from the new subnet (for easy future proofing).

- Connect wife's PC to new vlan with an access port

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels