Configuring Non-Meraki VPN Peer Availability for MX and Z Series Devices – Building the Dashboard
Another common implementation of network tags is to use them to scope non-Meraki VPN peer configurations across different networks in the Dashboard. To simplify the configuration of non-Meraki VPN peers across multiple Dashboard networks, the non-Meraki VPN peer configurations entered on the Dashboard are configured at an organization-wide level, meaning that, by default, when a non-Meraki peer is configured, that peering configuration is pushed to all MX and Z series devices with VPN enabled. This allows a non-Meraki peer to be configured one time on the Dashboard and have that configuration available to any Meraki device that needs to build a tunnel to that peer.
But what if not all Meraki devices should be attempting to build a VPN tunnel to that peer? In that case, you can use network tags to scope the availability of non-Meraki VPN peer configurations similarly to how you can use device tags to scope SSID availability. When configuring non-Meraki VPN peers on the Security Appliance > Site-to-Site VPN page, an Availability field is presented for each non-Meraki peer that enables you to select from any currently defined network tags from either Security Appliance or Combined networks. In this case, network tags are used because they are not dependent on a specific device and will allow the VPN configuration scope to remain unchanged when swapping or replacing security appliances. This also has the added advantage of only requiring a single tag application for high availability (HA) pairs.
Pro Tip
Non-Meraki VPN peer configurations can also be explicitly scoped to No Networks to retain but disable the current configuration in the Dashboard.
Meraki Systems Manager
When working with Meraki Systems Manager, Meraki’s MDM/EMM solution, tags become a critical aspect of managing devices and configuration payloads. There are currently four types of tags used in System Manager networks: device tags, policy tags, user tags, and schedule tags.
The various types of tags in a Systems Manager network can be used to group and organize enrolled client devices as well as scope app and profile deployment for easy management of large numbers of devices in a network. Tags in Systems Manager can even be updated dynamically based on current device attributes such as location or security policy compliance. This allows the Dashboard to automatically adjust the configuration of a device so that only compliant devices remain in scope of a given app or profile. For example, access to a specific application or wireless profile might be granted only to devices that remain within a specific geographic area near an office, or only to devices that currently have a lock screen and PIN enabled.
Given the wide variety of unique configurations and potential complexity of the use of tags within a Systems Manager network, details about specific implementations and configurations are beyond the scope of this book. For more information about Meraki Systems Manager and the use of tags for device management within it, you can find articles covering every aspect of Systems Manager in the “SM – Endpoint Management” section on the home page of https://documentation.meraki.com.