VPN: tunnel data to a concentrator

Solved
Gx3
Conversationalist

VPN: tunnel data to a concentrator

hello, 

 

just a questin regarding  VPN: tunnel data to a concentrator for SSID

 

Layer 3 roaming with a concentrator is clear , the client is projected in the vlan directly attached to mx appliance and gets an ip from a remote DHCP

 

what happens when using VPN: tunnel data to a concentrator option?

(this is needed as we would like to use split tunnel )

the client still gets is IP from remote DHCP? 

how is handled traffic from client leaving the AP outside the vpn? 

 

sorry it seems I cannot find this kind of informations googling on...

 

thank you in advance

 

 

1 Accepted Solution
Bruce
Kind of a big deal

@Gx3, wasn't sure on this one so I thought I'd let someone else respond. But obviously no-one else knew either. So I've just run in through my lab.

 

In split tunnel mode the client still gets the DHCP address from the remote (VPN concentrator) network.

In split tunnel mode if the traffic isn't going into the tunnel it is NATed to the management IP address.

 

Hope this confirms what you expected.

View solution in original post

7 Replies 7
Inderdeep
Kind of a big deal
Kind of a big deal

Hi @Gx3 Did you check the below post on VPN Concentrator Deployment Guide

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide

 

Regards
Inderdeep Singh

 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
Gx3
Conversationalist

Thank you for the link but still cannot find an answer in that document

 

MX appliance is in passtrough mode  (external dhcp)

 

I presume the wireless clients on ssid configured in Tunnel mode to concentrator  will get ip from that dhcp

but (assuming that) how split tunnel traffic (non vpn) can be handled ? (maybe via a nat mode on the local subnet ?)

 

sorry if I'didn't see that information

 

thank you

 

 

 

 

Gx3
Conversationalist

up

Gx3
Conversationalist

hello noone can answer this?

 

thanks

Bruce
Kind of a big deal

@Gx3, wasn't sure on this one so I thought I'd let someone else respond. But obviously no-one else knew either. So I've just run in through my lab.

 

In split tunnel mode the client still gets the DHCP address from the remote (VPN concentrator) network.

In split tunnel mode if the traffic isn't going into the tunnel it is NATed to the management IP address.

 

Hope this confirms what you expected.

Gx3
Conversationalist

Yes! Thank you so much!!

CCIE11129
Here to help

Previously it worked like this:

L3 roaming with concentrator = non-encrypted tunnel to MX

VPN tunnel data to concentrator = encrypted tunnel to MX

 

At some point Meraki changed it to this:

 

L3 roaming with concentrator = encrypted tunnel to MX

VPN tunnel data to concentrator = encrypted tunnel to MX

 

I'm not sure why Meraki made the decision to basically make them the same. When Meraki did this, we had older MRs (MR53) that took a huge performance hit with L3 Roaming. Seems that older models used hardware encryption for wireless client connections, but not on the connection to the MX. Newer models didn't have the performance hit (MR56 & MR57). We had to contact Meraki and ask them to disable encryption on certain SSIDs so we would run again with no encryption to avoid the performance hit.

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels