Meraki

Community

1 site multiple MX's

Craig_Howson
Comes here often
Thursday
Thursday

1 site multiple MX's

Hi

 

We have a site which has multiple listed buildings and as such running copper/fibre between or installed p2p is a real headache. 

 

We are trying to cater for a CCTV system which will include many cameras connected across the site but will be connected back to different MX's.

 

We are looking at 3 MX's, each with their own broadband circuit and all need to speak locally back to a CCTV recording device NVR. Given they are on different MX's I expect they will need different subnets for routing purposes (unless there is a way around this). 

 

Can we use mesh VPN somehow to connect them to the same CCTV NVR, even though they are on different MX's?

 

Is there a better way to achieve this?

0 Kudos
9 Replies 9
ffiol
Comes here often
Friday
Friday

 

Hello,

If you don't have any other MXs that are HUBs, you can make everything go through that HUB and allow it in the Site-to-site outbound firewall rules.

If it's a new installation, you can make them all HUBs and they will form a mesh between the three.

You also have the option of making one MX the hub and the others spokes, but if you only have three, I would make them all hubs.

Please correct me if you think I'm wrong.

Best regards

0 Kudos
DarrenOC
Kind of a big deal
Kind of a big deal
Friday
Friday

Dare I say it…..you could replace the cameras with Meraki ones and boom no more need for the on-prem NVR 😁

 

Otherwise, just create a hub-spoke auto vpn and route all cctv traffic back to your main site where the nvr resides.

 

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Configuration_Guides/Site-t....

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
AFamilyGuy
Here to help
Friday
Friday

If the networks are not connected then why do you want to use the same address space in the different buildings?

0 Kudos
In response to AFamilyGuy
Craig_Howson
Comes here often
yesterday
yesterday

Craig_Howson_0-1765190491226.png

The full mesh on site does sound good but not sure it would work for us.

 

Here is a topology of what we have existing (hub and spoke - left) and the new site (right).

 

All existing sites use AutoVPN to connect back to our central hub for DC connectivity. I still need this for the new site too so I would typically use AutoVPN to connect the back to the central hub. But how would I then get the CCTV cameras across the 3 new buildings to communicate with the NVR in building 1 and still be able to connect them all back central for DC server connectivity?

0 Kudos
In response to Craig_Howson
AFamilyGuy
Here to help
yesterday
yesterday

I don't understand, if you have 3 MXs (one for each building) why wouldn't the cameras be able to communicate with the NVR in building 1? What is the CCTV system you have? Does it require layer 2 adjacency between the cameras and the NVR?

 

Meraki Autovpn supports spoke to spoke communication, which should address your concern (unless I'm not understanding what you are asking 🙂 ).

Thanks!

0 Kudos
In response to AFamilyGuy
Craig_Howson
Comes here often
10 hours ago
10 hours ago

I think what you are suggesting is sending all traffic from building 2 (for eg.) back local to central hub and then back out the other spoke in building 1.

 

We need local communication in case of ISP issues and local recording functionality. 

0 Kudos
In response to Craig_Howson
AFamilyGuy
Here to help
2 hours ago
2 hours ago

There is no "local" communication in your design unless you a) lease a circuit from some local provider between the buildings or b) run your own cable or wireless bridge between the buildings.

Without a or b above, you are dependent on the internet being up, regardless of whether you hairpin through the hub or if you have spoke to spoke/site to site tunnels. You can do this for these three buildings.

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Configuration_Guides/Site-t...

PhilipDAth
Kind of a big deal
Kind of a big deal
Sunday
Sunday

Each site will require its own unique subnet range.  You'll enable AutoVPN on the MXs to network all the sites together.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
2 hours ago
2 hours ago

If you want everything on the same VLAN ...

 

You know how you have an ISP link in each building - what about asking the telco if they can provide you a layer 2 link instead between the buildings?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.