Meraki

Gx3 · ‎Mar 26 2021

hello,

just a questin regarding VPN: tunnel data to a concentrator for SSID

Layer 3 roaming with a concentrator is clear , the client is projected in the vlan directly attached to mx appliance and gets an ip from a remote DHCP

what happens when using VPN: tunnel data to a concentrator option?

(this is needed as we would like to use split tunnel )

the client still gets is IP from remote DHCP?

how is handled traffic from client leaving the AP outside the vpn?

sorry it seems I cannot find this kind of informations googling on...

thank you in advance

Bruce · ‎Apr 15 2021

@Gx3, wasn't sure on this one so I thought I'd let someone else respond. But obviously no-one else knew either. So I've just run in through my lab.

In split tunnel mode the client still gets the DHCP address from the remote (VPN concentrator) network.

In split tunnel mode if the traffic isn't going into the tunnel it is NATed to the management IP address.

Hope this confirms what you expected.

View solution in original post

Inderdeep · ‎Mar 26 2021

Hi @Gx3 Did you check the below post on VPN Concentrator Deployment Guide

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide

Regards
Inderdeep Singh

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com

Gx3 · ‎Mar 26 2021

Thank you for the link but still cannot find an answer in that document

MX appliance is in passtrough mode (external dhcp)

I presume the wireless clients on ssid configured in Tunnel mode to concentrator will get ip from that dhcp

but (assuming that) how split tunnel traffic (non vpn) can be handled ? (maybe via a nat mode on the local subnet ?)

sorry if I'didn't see that information

thank you

Gx3 · ‎Mar 31 2021

up

Gx3 · ‎Apr 14 2021

hello noone can answer this?

thanks

Bruce · ‎Apr 15 2021

@Gx3, wasn't sure on this one so I thought I'd let someone else respond. But obviously no-one else knew either. So I've just run in through my lab.

In split tunnel mode the client still gets the DHCP address from the remote (VPN concentrator) network.

In split tunnel mode if the traffic isn't going into the tunnel it is NATed to the management IP address.

Hope this confirms what you expected.

Gx3 · ‎Apr 16 2021

Yes! Thank you so much!!

CCIE11129

Previously it worked like this:

L3 roaming with concentrator = non-encrypted tunnel to MX

VPN tunnel data to concentrator = encrypted tunnel to MX

At some point Meraki changed it to this:

L3 roaming with concentrator = encrypted tunnel to MX

VPN tunnel data to concentrator = encrypted tunnel to MX

I'm not sure why Meraki made the decision to basically make them the same. When Meraki did this, we had older MRs (MR53) that took a huge performance hit with L3 Roaming. Seems that older models used hardware encryption for wireless client connections, but not on the connection to the MX. Newer models didn't have the performance hit (MR56 & MR57). We had to contact Meraki and ask them to disable encryption on certain SSIDs so we would run again with no encryption to avoid the performance hit.