Cisco Meraki Access Points currently do not support being able to VPN into a Cisco Pix, or third party VPN concentrators. Cisco Meraki APs require the use of an MX Security Appliance or Virtual Concentrator, which can easily be installed into a VMWare ESX system or an existing server on the LAN using VMWare Player.
When an SSID is configured in NAT mode, wireless clients will point to the MR access point (AP) as their DNS server. The AP then acts as a DNS proxy, and will forward clients' DNS queries to its configured DNS server. This article shows how to set custom DNS servers for a NAT SSID, instead of using the AP's DNS server. This is typically used to forward NAT SSID clients to a DNS server with custom content filtering.
The Meraki VPN concentrator can be used with the Meraki MR Access Points to have a specific SSID tunnel traffic back to a VM Concentrator on the corporate network. A very common use for this feature is for teleworkers who would like to have their wireless clients simply join an SSID and be tunneled into the private LAN behind the VM Concentrator.
Ethernet over GRE (EoGRE) is an unencrypted stateless layer 2 tunneling technology. It is typically used for aggregating WiFi traffic from hotspots to a centralized gateway. This solution enables Customer Premises Equipment (CPE) to bridge the Layer 2 traffic from an end host to an aggregation gateway. The encapsulated traffic consists of Ethernet frames with a GRE header, creating a virtual tunnel.
Stateless Layer 2 Tunneling Protocol version 3 (L2TPv3) is an unencrypted stateless layer 2 tunneling technology, which is typically used for aggregating WiFi traffic from hotspots to a centralized gateway. This solution enables Customer Premises Equipment (CPE) to bridge the Layer 2 traffic from an end host to an aggregation gateway. The encapsulated traffic consists of Ethernet frames with an L2TPv3 header, creating a virtual tunnel.
Using an MR access point, if a client connects to an SSID set for NAT Mode, it will be put on an isolated 10.0.0.0/8 network that can then be granted limited access to the local LAN. This can cause conflicts if a 10.x.x.x addressing scheme is in use elsewhere on the network. This article describes how a conflicting subnet between NAT Mode's Meraki DHCP and a site-to-site VPN subnet is handled, as well as recommended solutions.
Cisco Meraki product lines offer various types of VPN options for small office and/or remote deployments. Each option is recommended for a different type of scenario, ranging from a single client, to several wired and wireless clients. If you have a complex requirement not covered below, please contact your Cisco Meraki account executive to discuss what would be the best fit for your particular needs.
A RADIUS server has the ability to send VLAN information to the AP in RADIUS Access Accept messages. To send VLAN information, three required RADIUS attributes must be configured in your RADIUS policy:
It is often necessary to configure VLANs on your network to limit broadcast traffic, segment traffic, or restrict traffic for security reasons. If you already have VLANs implemented on your wired network, you can extend this to your wireless network as well with MR Access Points which support IEEE 802.1Q VLAN tagging in Bridge mode. These VLAN tags can be applied per-SSID, per-user, per-device or per-AP