Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts with replies and give us your feedback.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16745
Views
5
Helpful
7
Replies

Client VPN VLAN?

Go to solution
TimBisel
Level 2
Level 2

‎04-15-2019 09:13 AM

Have some questions about the Client VPN hoping someone can clarify it up a bit for me. Is there anyway to classify it as a VLAN at all? We have non-Meraki L3 switches at a few sites and not entirely sure how to handle the VPN subnet. Don't want to start pruning VLANs on trunk ports and kill access for the Client VPN. I would like to give Client VPN access to one site that has site to site VPN access, without giving the Client VPN access to the entire organization, and limit it to only one or two IPs on the local network. Can I do that? Even with a L3 switch handling the routing?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nash
Level 11
Level 11
In response to TimBisel

‎04-15-2019 11:56 AM

Okay, are you trying to get the client VPN to share the same subnet as a pre-existing VLAN? If so, that's not going to work.

Client VPN should be an entirely separate subnet from anything else on your network. The MX needs to either belong to the pre-existing VLAN or have a static route configured. That means at least two subnets: One for client VPN, one for the rest of your network.

It might help if you read some about how the MX handles routing: https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior

If you approach this as a "two subnets, communicating via router(s)" issue, then you're okay. If you try to handle this as pure layer 2, it's not going to work the way.

Windows 10 Client VPN scripts: Makes life better!

View solution in original post

7 Replies 7

Go to solution
Nash
Level 11
Level 11

‎04-15-2019 10:41 AM

If I understand correctly, your MX will route between the client VPN subnet and whatever subnet(s) or routes the MX knows exist.

You can use the firewall on the MX to restrict what internal access: https://documentation.meraki.com/MX/Client_VPN/Restricting_Client_VPN_access_using_Layer_3_firewall_rules

Windows 10 Client VPN scripts: Makes life better!

Go to solution
TimBisel
Level 2
Level 2
In response to Nash

‎04-15-2019 11:33 AM

But is there any way I can define this in the L3 switch as a VLAN? The case I am working on right now is this VPN needs to join a VLAN that is present on my switch network. But without a VLAN on the MX I feel that I am going to run into issues. Or am I going to need to have two subnets dedicated to this one function? (One for equipment on network and another for VPN)

0 Helpful

Go to solution
Nash
Level 11
Level 11
In response to TimBisel

‎04-15-2019 11:56 AM

Okay, are you trying to get the client VPN to share the same subnet as a pre-existing VLAN? If so, that's not going to work.

Client VPN should be an entirely separate subnet from anything else on your network. The MX needs to either belong to the pre-existing VLAN or have a static route configured. That means at least two subnets: One for client VPN, one for the rest of your network.

It might help if you read some about how the MX handles routing: https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior

If you approach this as a "two subnets, communicating via router(s)" issue, then you're okay. If you try to handle this as pure layer 2, it's not going to work the way.

Windows 10 Client VPN scripts: Makes life better!

Go to solution
TimBisel
Level 2
Level 2
In response to Nash

‎04-15-2019 12:21 PM

Yea I was trying to do it on the same subnet was hoping I would be able to make it work. Looks like Im not going to be able to. Thanks.

0 Helpful

Go to solution
Dalmiro.Couto
Level 2
Level 2
In response to TimBisel

‎04-15-2019 12:22 PM

Given that you need at least two subnets: One for your LAN and one for Client VPN, I tried to create Vlans.

Sadly, I wasn't able to create a VLAN for the client VPN subnet so it can route through the LAN subnet.

image.jpeg

0 Helpful

Go to solution
TimBisel
Level 2
Level 2
In response to Dalmiro.Couto

‎04-15-2019 12:25 PM

Yea thats the boat I was in and hoping I could VLAN tag the Client VPN. Issue I have with doing this at one site is I am getting hundreds of dropped events an hour and want to limit the amount of work the MX is doing to try and limit that. Moved L3 switching to switch but looks like I can only do that to a limited scale.

0 Helpful

Go to solution
RumorConsumer
Level 4
Level 4
In response to TimBisel

‎01-23-2020 04:02 PM

Was just researching this exact question... I think...

So if I have a VLAN and corresponding SSID set up for the management of my Sonos speakers and I want to be able to get on that SSID/VLAN comb from out of town and run the firmware update on my speakers, VPN wont let me do that, is that right? Like I couldn't use the VPN to act like Im on that SSID.... right?

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
0 Helpful
Customers Also Viewed These Support Documents