cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

vMX 100 multiple subnets

SOLVED
Getting noticed

vMX 100 multiple subnets

Is it possible to have multiple subnets for client VPNs?  

I have a need for different access and permissions for different groups that VPN in.  One is for a client and one is for our own employees.  I want to be able to limit the client to be able to access one server only but I don't see how to do that with the MX.

 

Thanks, Gordon

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Kind of a big deal

Re: vMX 100 multiple subnets

You can only configure one subnet for client VPN. You can however create group policies and apply those to the clients. 

 

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

MRCUR | CMNO #12

View solution in original post

9 REPLIES 9
Highlighted
Kind of a big deal

Re: vMX 100 multiple subnets

I tried getting clever with CIDR super- and sub- netting. It wasn't allowed. I have changed my network architecture so I have options at all levels. Taking a leaf out of the banks' playbook after the last financial crash, I have bad bank and good bank, or rather bad network and good network. All the dodgy stuff is in bad network. Good network is secure and boring . . . bad network is out dancing all night.

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Highlighted
Kind of a big deal

Re: vMX 100 multiple subnets

You can only configure one subnet for client VPN. You can however create group policies and apply those to the clients. 

 

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

MRCUR | CMNO #12

View solution in original post

Highlighted
Kind of a big deal

Re: vMX 100 multiple subnets

@MRCUR are you sure you can apply group policies to client VPN users?  I don't think this works ...

Highlighted
Getting noticed

Re: vMX 100 multiple subnets

The only way I can figure how to do it, is to assign them static IPs to use and then I can filter by them.   Not the best option but this is for a client not general public.

Highlighted
Kind of a big deal

Re: vMX 100 multiple subnets

@PhilipDAth I haven't personally done this, but I've seen it recommended on the community by others. The VPN clients show up in the network wide clients list, so this seems like it would be possible to me. 

MRCUR | CMNO #12
Highlighted
Kind of a big deal

Re: vMX 100 multiple subnets

Do this test for me please. Blacklist a VPN client, and then make sure they are blocked from everything.

Highlighted
Building a reputation

Re: vMX 100 multiple subnets

I just tested with myself as a VPN client and was able to restrict my bandwidth to 1Mb up and down and blocked myself from the LAN. My phone is configured to connect to the VPN via Sentry so i'm not sure if that's part of why it works. It was a separate group policy that I applied to restrict my phone.

Highlighted
A model citizen

Re: vMX 100 multiple subnets

Group policy on the VPN does work. We have authenticate via AD and have one of our groups that cannot access Facebook. When that user VPNs in, they follow that group policy and are continued from being blocked from Facebook.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Highlighted
Getting noticed

Re: vMX 100 multiple subnets

OK.  So the answer is no, that there is not a way to have multiple subnets.  I have looked at group policy and it is not going to work in our case for a number of reasons.  

Thanks for the replies

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.