cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Wireless Concentrator from LAN

SOLVED
Highlighted
Here to help

Wireless Concentrator from LAN

We are currently looking at deploying Meraki MR AP's on our LAN with 2 SSID's 1 which will bridge to our corporate LAN and a second which we hoped to VPN the SSID to an MX in out DMZ. We can get the AP's to communicate with our dashboard and can configure but no Guest SSID VPN to the MX.

 

Is anyone able to assist?

 Meraki MX - DMZ.jpg

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Here to help

Re: Wireless Concentrator from LAN

Due to corporate data level, we require the segregation, so would like to get Guest delivery into our DMZ.

 

Could this design be more suitable?

 

Meraki MX - DMZ.jpg

15 REPLIES 15
Kind of a big deal ww
Kind of a big deal

Re: Wireless Concentrator from LAN

what is not working? are you able to configure it?

is your mx in passthrough/concentrator mode?

Kind of a big deal

Re: Wireless Concentrator from LAN

This looks like a Cisco WLC guest anchor style design.  This design is not suitable for Meraki.

 

Is there any reason you can't use the standard Meraki design of NAT mode and denying access to the local LAN?

https://meraki.cisco.com/blog/2013/09/secure-guest-access-in-3-steps/

Here to help

Re: Wireless Concentrator from LAN

We can't get the SSID VPN to establish from our LAN. If I connect to the MX directly we have no issue.

 

Does SSID VPN use LAN and/or WAN address to target?

Kind of a big deal

Re: Wireless Concentrator from LAN

The VPN is designed to establish from the "outside" of an MX, not the inside.  If you upgrade to 13.28 on the MX it "might" work as their was a new AutoVPN feature added to allow connection from an "inside" interface - but I wouldn't get your hopes up.

Here to help

Re: Wireless Concentrator from LAN

Due to corporate data level, we require the segregation, so would like to get Guest delivery into our DMZ.

 

Could this design be more suitable?

 

Meraki MX - DMZ.jpg

Kind of a big deal

Re: Wireless Concentrator from LAN

You should be able to make that design work, as the MX would now be in VPN concentrator mode.

Meraki Alumni (Retired)

Re: Wireless Concentrator from LAN

Either design should work, the second design is more optimal so stick with that.  Do you have egress security on the firewall southbound in your sandwich DMZ? I have a hunch that is blocking traffic, You’ll know if it still doesn’t work, take a look at the logs.

 

@PhilipDAth FWIW-We are told that that AutoVPN LAN termination feature only works from MX to MX.

Here to help

Re: Wireless Concentrator from LAN

There are issues with the MX being used as a DMZ guest anchor and using ISE for guest access, correct?

Kind of a big deal

Re: Wireless Concentrator from LAN

Well, I guess it should be possible to make it work - but you are trying to apply a Cisco WLC design to a different kind of system, a Cisco Meraki WiFI solution.  And it seems applying a design built for a different system is causing you issues.

 

You would be better off applying a Cisco Meraki Design if you don't want grief.

Kind of a big deal

Re: Wireless Concentrator from LAN

In 99.99% of Meraki WiFi deployments it doesn't make sense to use Cisco ISE, because everything is built into the Meraki platform.  What are you hoping to gain by using Cisco ISE?

Here to help

Re: Wireless Concentrator from LAN

Hmm, except in the 100% of cases where it does make sense.   

 

If it is a small customer that is going full stack Meraki, I generally agree (unless they have a compliance issue or special use case).   However, there are many customers that already have ISE deployed for their traditional wireless and wired networks.  We have deploy a hybrid Meraki / Cisco solution quite often.   One scenario is maintaining Cisco switching at all sites, and at times only deploying Meraki in smaller branch sites.   We have also had customers that maintain Cisco wireless in their larger sites and deploy Meraki wireless in branch sites with no IT support.  I am sure there are additional use cases that could occur in the myriad of customer environments that we all encounter.

 

In scenarios such as above, the customer often wants to maintain a consistent network policy across the enterprise.  I don't believe anyone would argue that the Meraki alternative to ISE is as fully featured, nor should it be considering the cost differential and the Meraki model for product and feature development.

 

There must be a not insignificant number of customers that have requested ISE support with their Meraki deployments, for Meraki to invest the time and effort in enhancing the integration of the solution

 

Regards, Jason

 

 

Kind of a big deal

Re: Wireless Concentrator from LAN

On the whole, Meraki has pretty good ISE support. I guess I've just never felt endeared to ISE.  I find it difficult to give customers a good reason for buying ISE.

New here

Re: Wireless Concentrator from LAN

Is a transit VLAN required between the AP and MX required or just a permitted port range? If ports, which ones? I am trying to locate documentation on this. Thank you.
Kind of a big deal

Re: Wireless Concentrator from LAN

A transit VLAN is not required.  Could you not just allow "any" traffic between the Meraki AP IP address and the MX VPN concentrator IP address?

 

Also note that the APs will need to be able to talk to the Meraki cloud.  You can get this info from Help/Firewal info while logged into the dashboard.

New here

Re: Wireless Concentrator from LAN

Thank you Philip!
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.