Previously it worked like this: L3 roaming with concentrator = non-encrypted tunnel to MX VPN tunnel data to concentrator = encrypted tunnel to MX   At some point Meraki changed it to this:   L3 roaming with concentrator = encrypted tunnel to MX VPN tunnel data to concentrator = encrypted tunnel to MX   I'm not sure why Meraki made the decision to basically make them the same. When Meraki did this, we had older MRs (MR53) that took a huge performance hit with L3 Roaming. Seems that older models used hardware encryption for wireless client connections, but not on the connection to the MX. Newer models didn't have the performance hit (MR56 & MR57). We had to contact Meraki and ask them to disable encryption on certain SSIDs so we would run again with no encryption to avoid the performance hit.     ... View more

AlexP,   We use the top option under SSID to send traffic to our wireless concentrator. I always wondered what the difference was between the two options. Does the first one allow the VLAN assignment capability and the second on work like an AutoVPN tunnel where the concentrator would route it after decryption? Would these two options exist for an SSID on an MX or Z3? If so, couldn't a Site-to-Site tunnel for LAN traffic be built using AutoVPN and a wireless SSID be configured with the second option creating two VPN tunnels? Instead of using VLAN assignment to place wireless traffic into the correct MPLS VPN, the wireless traffic would be placed appropriately the same as the LAN traffic through the AutoVPN using Multi-VRF with PBR like I described? Don't think this would be a big deal since only one MX can be in a network and copying the SSIDs from another would be necessary anyway. Would just have to change from option 1 to option 2 after the copy.      Layer 3 roaming with a concentrator Clients are tunneled to a specified VLAN at the concentrator. They will keep the same IP address when roaming between APs.  VPN: tunnel data to a concentrator Meraki devices send traffic over a secure tunnel to an MX concentrator.     Now that I think about it, the top option at one point was not encrypted, but now is. I know this because when encryption was turned on for the top option, our wireless throughput was drastically reduced. It went something like 300Mbs to 80mbs per user. We had this feature disabled behind the curtain by TAC. This is a network by network setting behind the curtain. I found that when I create a new network that it has encryption on all SSIDs by default. With that being the case. I think I can just use option 1 like I currently do and the MX would build a VPN tunnel for the wireless traffic and VLAN assignment would work the way it does for our internal APs, but with the benefit of encryption over the internet.. ... View more

AlexP,   Thanks for the info.   With SSID tunneling, the traffic is placed in a VLAN either configured on the SSID or ISE policy. With Auto-VPN, I don't think you can place the tunneled traffic into a VLAN and assumed this is why the VPN concentrator would route the unencrypted traffic instead of bridging it. Can you confirm this is true?   Being able to use the MX or Z3 wireless through the VPN tunnel to a wireless concentrator (would be the same as the VPN concentrator in my case) would be nice.   Being able to put different remote locations in different VLANs at the DC would be nice, but not sure how routing would work in that situation. No VLAN assignment is why I am looking at Multi-VRF with PBR. ... View more

If this setup does work, are wireless capable MX or Z devices able to use the MX450 wireless concentrator like the APs do? If so, would it be able to do so through the VPN tunnel? Seems like it would need to use it's LAN side IP, and I'm not sure if that is possible. ... View more