Meraki Community

Santi · ‎Dec 10 2020

Hi all,

I have two MR36, one as mesh and the other one as gateway connected to an MX68 in routed mode.

MX250 is in VPN Concentrator mode.

Vlan 1 is defined as in VPN, Vlan 2 is for local breakout and Vlan 3 is for management (Native Vlan in trunk interfaces)

Initially with this settings, from Access Point couldn´t reach my Radius server. After setting Wireless Alternate Management Interface in Vlan 1 for Radius, clients under MR36 in Gateway mode reached my Radius server, but clients under MR36 in repeater mode didn´t.

Doing some packet capture, communication to my Radius from gateway is done by the Alt mgmt int in vlan 1 but repater uses Gateway lan IP (Vlan 3) to reach the my Radius instead of Vlan 1.

Is possible to configure Mesh MR36 to use Vlan 1 for Radius as gateway does?

Also, is possible to make MX68 to route all traffic, like WLC in central mode does?

Thanks in advance!

Bruce · ‎Dec 11 2020

Assuming that your site is configured as a spoke, then all you need to do on the AutoVPN setup is make sure that there is no check mark under the ‘Default Route’ in the hubs list.

If none of the hubs are checked as ‘Default Route’ then only traffic destined for subnets behind the VPN concentrator will be sent over the VPN, anything else will be sent straight to the internet locally - I.e. split tunnel operation. If you have one of the hubs checked as ‘Default Route’ then all traffic is sent over the VPN, either to the appropriate hub, or if it’s an unknown destination to the ‘Default Route’ hub - I.e. full tunnel operation.

Having said all that though, Meraki management traffic (i.e that destined for the Meraki Cloud) is actually always sent directly to the internet, and not into the AutoVPN tunnel. See ‘Full Tunnel or Split Tunnel’ section in this document, https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN

View solution in original post

Bruce · ‎Dec 11 2020

Hi Santi, welcome. Firstly I’m not sure the expected behaviour of the AP as a repeater with regards to the alt management interface - it’s a relatively new feature. You might have to contact support to confirm what you’re seeing is expected behaviour, it sounds like it could be.

With regards to using the MX86 as a wireless concentrator, that’s unlikely to work for you as the MR has to connect to the WAN interface of the MX.

Out of interest, any reason why you can’t put VLAN 3 into the VPN and the use the standard management interface? This will allow connectivity to RADIUS server (assuming this is the other side of the VPN - which is why it wouldn’t work when VLAN 3 wasn’t in he VPN), and will mean you don’t have to use the alt management interface.

Santi · ‎Dec 11 2020

Bruce,

Thanks for your answer. That is a possible solution we have in mind, but putting VLAN 3 in the tunnel means that all de communication to Meraki Cloud from the MR36 instead of using the MX68 Internet will use the MX250 (VPN Concentrator) Internet access.

Till now we have 10 remote locations with MR36 and more coming soon.

In VLAN 3 is it possible to make all traffic to use local Internet and only Radius service through VPN?

Thanks!

Bruce · ‎Dec 11 2020