Meraki

Community

Z3 Split tunnel

ChrisB
Here to help
‎Dec 3 2020 1:30 AM
‎Dec 3 2020 1:30 AM

Z3 Split tunnel

Hey all, wondering if any one can assist. 

 

At present we use Meraki Z3/Z3C for quick ad-hoc deployments to a short term location, where we require an urgent presence. As part of this we can offer our WLAN solution, which uses a external RADIUS service which needs to have a known public IP address for authentications. 

So with unknown public addressing (via an internet connection provided by a 3rd party site or via cellular) we can't always get a known static public address, so for a quick fix have resorted to building a VPN for all traffic back to our MX250.

What I would like to do is just VPN back the RADIUS (1812 & 1813) traffic only, so we are not brining back all the public internet traffic in to our HQ just to direct back out. Is there a way to be able to achieve this?

0 Kudos
3 Replies 3
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Dec 3 2020 1:51 AM
‎Dec 3 2020 1:51 AM

That design is probably not supported.
You can easily have split tunnel traffic by just not putting the MX250 as default route.

But all the subnets the MX250 injects into the SD-WAN will be made available through the tunnel.  That means all private traffic flowing between that Z3 local network and the networks and routes the MX250 knows and injects as VPN available.

 

All other traffic will break out locally to the internet at the Z3.

 

To further block traffic from the Z3 to the MX250 you can add the VPN acl to only allow radius traffic from the remote Z3 subnets towards the local MX250 networks.

KarstenI
Kind of a big deal
Kind of a big deal
‎Dec 3 2020 2:34 AM
‎Dec 3 2020 2:34 AM

I would implement it the follwong way:

  • Configure the Teleworker gateways for Split tunnel
  • Place a RADIUS-Proxy into your headquarter. This RADIUS-Proxy forwards the RADIUS requests to the external RADIUS.

This way you never have to touch the external RADIUS again to change any IPs and if the Teleworker gateways always use the same internal addresses for the APs, also the Proxy does not have to change.

 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 3 2020 2:39 PM
‎Dec 3 2020 2:39 PM

I wouldn't have thought of @KarstenI 's answer - but that is a very good solution.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.