Wireless Concentrator from LAN

SOLVED
ChrisB
Here to help

Wireless Concentrator from LAN

We are currently looking at deploying Meraki MR AP's on our LAN with 2 SSID's 1 which will bridge to our corporate LAN and a second which we hoped to VPN the SSID to an MX in out DMZ. We can get the AP's to communicate with our dashboard and can configure but no Guest SSID VPN to the MX.

 

Is anyone able to assist?

 Meraki MX - DMZ.jpg

 

 

1 ACCEPTED SOLUTION

Due to corporate data level, we require the segregation, so would like to get Guest delivery into our DMZ.

 

Could this design be more suitable?

 

Meraki MX - DMZ.jpg

View solution in original post

15 REPLIES 15
ww
Kind of a big deal
Kind of a big deal

what is not working? are you able to configure it?

is your mx in passthrough/concentrator mode?

ChrisB
Here to help

We can't get the SSID VPN to establish from our LAN. If I connect to the MX directly we have no issue.

 

Does SSID VPN use LAN and/or WAN address to target?

PhilipDAth
Kind of a big deal
Kind of a big deal

The VPN is designed to establish from the "outside" of an MX, not the inside.  If you upgrade to 13.28 on the MX it "might" work as their was a new AutoVPN feature added to allow connection from an "inside" interface - but I wouldn't get your hopes up.

Due to corporate data level, we require the segregation, so would like to get Guest delivery into our DMZ.

 

Could this design be more suitable?

 

Meraki MX - DMZ.jpg

PhilipDAth
Kind of a big deal
Kind of a big deal

You should be able to make that design work, as the MX would now be in VPN concentrator mode.

DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Either design should work, the second design is more optimal so stick with that.  Do you have egress security on the firewall southbound in your sandwich DMZ? I have a hunch that is blocking traffic, You’ll know if it still doesn’t work, take a look at the logs.

 

@PhilipDAth FWIW-We are told that that AutoVPN LAN termination feature only works from MX to MX.

There are issues with the MX being used as a DMZ guest anchor and using ISE for guest access, correct?

Well, I guess it should be possible to make it work - but you are trying to apply a Cisco WLC design to a different kind of system, a Cisco Meraki WiFI solution.  And it seems applying a design built for a different system is causing you issues.

 

You would be better off applying a Cisco Meraki Design if you don't want grief.

In 99.99% of Meraki WiFi deployments it doesn't make sense to use Cisco ISE, because everything is built into the Meraki platform.  What are you hoping to gain by using Cisco ISE?

Hmm, except in the 100% of cases where it does make sense.   

 

If it is a small customer that is going full stack Meraki, I generally agree (unless they have a compliance issue or special use case).   However, there are many customers that already have ISE deployed for their traditional wireless and wired networks.  We have deploy a hybrid Meraki / Cisco solution quite often.   One scenario is maintaining Cisco switching at all sites, and at times only deploying Meraki in smaller branch sites.   We have also had customers that maintain Cisco wireless in their larger sites and deploy Meraki wireless in branch sites with no IT support.  I am sure there are additional use cases that could occur in the myriad of customer environments that we all encounter.

 

In scenarios such as above, the customer often wants to maintain a consistent network policy across the enterprise.  I don't believe anyone would argue that the Meraki alternative to ISE is as fully featured, nor should it be considering the cost differential and the Meraki model for product and feature development.

 

There must be a not insignificant number of customers that have requested ISE support with their Meraki deployments, for Meraki to invest the time and effort in enhancing the integration of the solution

 

Regards, Jason

 

 

On the whole, Meraki has pretty good ISE support. I guess I've just never felt endeared to ISE.  I find it difficult to give customers a good reason for buying ISE.

Is a transit VLAN required between the AP and MX required or just a permitted port range? If ports, which ones? I am trying to locate documentation on this. Thank you.
PhilipDAth
Kind of a big deal
Kind of a big deal

A transit VLAN is not required.  Could you not just allow "any" traffic between the Meraki AP IP address and the MX VPN concentrator IP address?

 

Also note that the APs will need to be able to talk to the Meraki cloud.  You can get this info from Help/Firewal info while logged into the dashboard.

Thank you Philip!
PhilipDAth
Kind of a big deal
Kind of a big deal

This looks like a Cisco WLC guest anchor style design.  This design is not suitable for Meraki.

 

Is there any reason you can't use the standard Meraki design of NAT mode and denying access to the local LAN?

https://meraki.cisco.com/blog/2013/09/secure-guest-access-in-3-steps/

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels