vMX 100 multiple subnets

SOLVED
Gordon
Getting noticed

vMX 100 multiple subnets

Is it possible to have multiple subnets for client VPNs?  

I have a need for different access and permissions for different groups that VPN in.  One is for a client and one is for our own employees.  I want to be able to limit the client to be able to access one server only but I don't see how to do that with the MX.

 

Thanks, Gordon

1 ACCEPTED SOLUTION
MRCUR
Kind of a big deal

You can only configure one subnet for client VPN. You can however create group policies and apply those to the clients. 

 

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

MRCUR | CMNO #12

View solution in original post

9 REPLIES 9
Uberseehandel
Kind of a big deal

I tried getting clever with CIDR super- and sub- netting. It wasn't allowed. I have changed my network architecture so I have options at all levels. Taking a leaf out of the banks' playbook after the last financial crash, I have bad bank and good bank, or rather bad network and good network. All the dodgy stuff is in bad network. Good network is secure and boring . . . bad network is out dancing all night.

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
MRCUR
Kind of a big deal

You can only configure one subnet for client VPN. You can however create group policies and apply those to the clients. 

 

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

MRCUR | CMNO #12
PhilipDAth
Kind of a big deal
Kind of a big deal

@MRCUR are you sure you can apply group policies to client VPN users?  I don't think this works ...

The only way I can figure how to do it, is to assign them static IPs to use and then I can filter by them.   Not the best option but this is for a client not general public.

MRCUR
Kind of a big deal

@PhilipDAth I haven't personally done this, but I've seen it recommended on the community by others. The VPN clients show up in the network wide clients list, so this seems like it would be possible to me. 

MRCUR | CMNO #12
PhilipDAth
Kind of a big deal
Kind of a big deal

Do this test for me please. Blacklist a VPN client, and then make sure they are blocked from everything.

mmmmmmark
Building a reputation

I just tested with myself as a VPN client and was able to restrict my bandwidth to 1Mb up and down and blocked myself from the LAN. My phone is configured to connect to the VPN via Sentry so i'm not sure if that's part of why it works. It was a separate group policy that I applied to restrict my phone.

Group policy on the VPN does work. We have authenticate via AD and have one of our groups that cannot access Facebook. When that user VPNs in, they follow that group policy and are continued from being blocked from Facebook.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)

OK.  So the answer is no, that there is not a way to have multiple subnets.  I have looked at group policy and it is not going to work in our case for a number of reasons.  

Thanks for the replies

Get notified when there are additional replies to this discussion.