Meraki in a Dell L2 switch environment

The_Roo
Getting noticed

Meraki in a Dell L2 switch environment

I guess I know the answer to the question I'm going to ask, but I'll ask it anyway, because there is a lot of experience out there and someone may have managed to do what I want to do:

 

I have an existing Dell switch network. Tht is non-negotiable, it's not old enough to just right off and replace. It has L3-capable Core and Data centre switches, but the access switches are all N2048, which don't do vrf, don't do GRE, don't do any L3.

 

I want to run SSIDs for Guest and card payment, so in any other environment, using Meraki APs I would have put those SSIDs into VLANs that were in vrfs and thus secure from the other traffic/users....but I can't build vrfs. I could, at a push, use GRE tunnels, but the access switches don't support GRE, either.

 

I can't mix traffic from secure and insecure VLANs in the same L3 environment ("VLANs aren't a security tool") so it appears I can't use Meraki, but will have to use a controller-based solution, so the APs will pass all SSIDs to a WLC via CAPWAP (Cisco, etc)  or IPSec (Aruba, etc) tunnels, then break them out in the core, where the switches DO handle vrfs and I can get them across to the firewall safely.

 

So here's the question: is there another way? I want to use Meraki, the user wants to use Meraki, but the Ethernet network appears to be a blocker unless I can work some magic....

 

Thanks

Roo

7 Replies 7
KarstenI
Kind of a big deal
Kind of a big deal

With Meraki APs, you also can tunnel WLAN traffic to a concentrator device (which is a Meraki MX): https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/SSID_Tunneling_and_Layer_3_Roamin...

Thomas_Sterber
Meraki Employee
Meraki Employee

You can tunnel the SSID's traffic per IPSec to a Meraki MX and break the traffic out.
This is similar to the WLC anchor controller.

rhbirkelund
Kind of a big deal
Kind of a big deal

Meraki Wireless can do GRE tunneling, but you are limited to the fact that it needs to be within the Meraki portfolio. To use the GRE tunneling yoiu'd configure your SSID with Tunneled, and then choos the Hub to with the GRE tunnels would terminate.

But, for this to happen, you'll need a Meraki MX.

 

You don't need to replace your entire Dell L3 with a Meraki MX, but you can configure it in a VPN Concentrator mode, and then configure the Wireless to tunnel back to is as a Hub. This way you'll get the Wireless Controller like experience from Aruba or Cisco with using Meraki.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
ww
Kind of a big deal
Kind of a big deal

Maybe i dont understand the setup correctly.

But i dont understand why layer 2 access switch is a problem here. As long as the L2  vlans end up in the core in different vrf's.

 

The_Roo
Getting noticed

Its because I want to keep the traffic from the card payment machines in its own environment (vrf/tunnel), and I want to prevent the guest traffic being able to inspect and interrogate the network structure (if its in its own tunnel, it will see the two end points but can't see the Ethernet structure in between) . This will give better security than a VLAN: hopping between VLANs is easier than hopping between vrfs

Is "hopping" between vlans easy in a wireless environment ?

I, like WW writes, dont understand the major problem either.

 

But you could tunnel the traffic from an MR to a MX, but that still "mixes" things up in my opinion.

 

If you truly want all the VRF goodness, then its 9800, that actually supports VRFs on the box (lets call it "VRF light light" right now, but full VRF support is coming officially a little later for the 9800).

From version 17.12.x there is officially VRF support : https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_vr...

But its a ... lets call it L2.5 VRF , not full L3, but still in separate instances.

I think that 17.15.x might be the release where full L3 VRF and routing is supported on the 9800, then you can actually terminate all the clients L3 on the 9800 in each VRF, but dont judge me if Im wrong, and its a later release.

The_Roo
Getting noticed

I'd thought of using MXs, but they don't support vrfs. I could tunnel my SSIDs securely from the AP to the MX, but what do I do with the traffic then? I need to extend the segregation to the firewall, so that the user, guest, card payment data flows don't mix anywhere but "inside" the firewall, under  control of the firewall ruleset. If I use an MX, I can get the flows to the MX, but each SSID's flow would be in the same routing instance in the MX, and so the segregation is lost....or am I making too big a thing of that?

 

Thanks for the responses so far

Roo

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels