AlexP, We use the top option under SSID to send traffic to our wireless concentrator. I always wondered what the difference was between the two options. Does the first one allow the VLAN assignment capability and the second on work like an AutoVPN tunnel where the concentrator would route it after decryption? Would these two options exist for an SSID on an MX or Z3? If so, couldn't a Site-to-Site tunnel for LAN traffic be built using AutoVPN and a wireless SSID be configured with the second option creating two VPN tunnels? Instead of using VLAN assignment to place wireless traffic into the correct MPLS VPN, the wireless traffic would be placed appropriately the same as the LAN traffic through the AutoVPN using Multi-VRF with PBR like I described? Don't think this would be a big deal since only one MX can be in a network and copying the SSIDs from another would be necessary anyway. Would just have to change from option 1 to option 2 after the copy. Layer 3 roaming with a concentrator Clients are tunneled to a specified VLAN at the concentrator. They will keep the same IP address when roaming between APs. VPN: tunnel data to a concentrator Meraki devices send traffic over a secure tunnel to an MX concentrator. Now that I think about it, the top option at one point was not encrypted, but now is. I know this because when encryption was turned on for the top option, our wireless throughput was drastically reduced. It went something like 300Mbs to 80mbs per user. We had this feature disabled behind the curtain by TAC. This is a network by network setting behind the curtain. I found that when I create a new network that it has encryption on all SSIDs by default. With that being the case. I think I can just use option 1 like I currently do and the MX would build a VPN tunnel for the wireless traffic and VLAN assignment would work the way it does for our internal APs, but with the benefit of encryption over the internet..
... View more