We are currently looking at deploying Meraki MR AP's on our LAN with 2 SSID's 1 which will bridge to our corporate LAN and a second which we hoped to VPN the SSID to an MX in out DMZ. We can get the AP's to communicate with our dashboard and can configure but no Guest SSID VPN to the MX.
Is anyone able to assist?
Solved! Go to Solution.
We can't get the SSID VPN to establish from our LAN. If I connect to the MX directly we have no issue.
Does SSID VPN use LAN and/or WAN address to target?
The VPN is designed to establish from the "outside" of an MX, not the inside. If you upgrade to 13.28 on the MX it "might" work as their was a new AutoVPN feature added to allow connection from an "inside" interface - but I wouldn't get your hopes up.
Either design should work, the second design is more optimal so stick with that. Do you have egress security on the firewall southbound in your sandwich DMZ? I have a hunch that is blocking traffic, You’ll know if it still doesn’t work, take a look at the logs.
@PhilipDAth FWIW-We are told that that AutoVPN LAN termination feature only works from MX to MX.
Well, I guess it should be possible to make it work - but you are trying to apply a Cisco WLC design to a different kind of system, a Cisco Meraki WiFI solution. And it seems applying a design built for a different system is causing you issues.
You would be better off applying a Cisco Meraki Design if you don't want grief.
In 99.99% of Meraki WiFi deployments it doesn't make sense to use Cisco ISE, because everything is built into the Meraki platform. What are you hoping to gain by using Cisco ISE?
Hmm, except in the 100% of cases where it does make sense.
If it is a small customer that is going full stack Meraki, I generally agree (unless they have a compliance issue or special use case). However, there are many customers that already have ISE deployed for their traditional wireless and wired networks. We have deploy a hybrid Meraki / Cisco solution quite often. One scenario is maintaining Cisco switching at all sites, and at times only deploying Meraki in smaller branch sites. We have also had customers that maintain Cisco wireless in their larger sites and deploy Meraki wireless in branch sites with no IT support. I am sure there are additional use cases that could occur in the myriad of customer environments that we all encounter.
In scenarios such as above, the customer often wants to maintain a consistent network policy across the enterprise. I don't believe anyone would argue that the Meraki alternative to ISE is as fully featured, nor should it be considering the cost differential and the Meraki model for product and feature development.
There must be a not insignificant number of customers that have requested ISE support with their Meraki deployments, for Meraki to invest the time and effort in enhancing the integration of the solution
On the whole, Meraki has pretty good ISE support. I guess I've just never felt endeared to ISE. I find it difficult to give customers a good reason for buying ISE.
A transit VLAN is not required. Could you not just allow "any" traffic between the Meraki AP IP address and the MX VPN concentrator IP address?
Also note that the APs will need to be able to talk to the Meraki cloud. You can get this info from Help/Firewal info while logged into the dashboard.
This looks like a Cisco WLC guest anchor style design. This design is not suitable for Meraki.
Is there any reason you can't use the standard Meraki design of NAT mode and denying access to the local LAN?