Active/Active AutoVPN Design Guide

PhilipDAth
Kind of a big deal
Kind of a big deal

Active/Active AutoVPN Design Guide

 

Aaron Willette has posted a good design guide for doing an Active/Active AutoVPN deployment.

 

http://www.willette.works/active-active-meraki-sd-wan-headends/

9 REPLIES 9
Adoos
Building a reputation

I wouldn't mind knowing a bit more about how active/active VPN returns traffic to branch sites. We have had sites send traffic through WAN1 and returning it over WAN/Internet2 which for us can impact performance if WAN/Internet2 has failed over to LTE (NBN with LTE backup). Support offered to turn active/active VPN off to resolve the issue but couldn't tell us what in Meraki says traffic should come back over WAN/Internet2. 

Barry_Dickinson
Conversationalist

 

 

The design looks great, but it only shows what the branches would look like not the hubs. I'm currently implementing (2) MX250 devices with local networks added plus OSPF enabled. During testing we are having issues with both hubs trying to distribute the traffic even when the spoke is set for say hub 1. The traffic will also try to route through hub 2.

Don't use OSPF.  It is too retarded - for exactly the reasons you have given.

 

Use BGP instead.  Open a ticket with support and ask them to enable the BGP support for you.

https://documentation.meraki.com/MX/Networks_and_Routing/BGP

 

Althought the above web page says the feature is in "beta" it has been in beta for a very long time, and is used quite a bit (aka it is quite stable).  I personally suspect we will see this feature released for everyone this year.


@PhilipDAth wrote:

Don't use OSPF.  It is too retarded - for exactly the reasons you have given.

 

Use BGP instead.  Open a ticket with support and ask them to enable the BGP support for you.

https://documentation.meraki.com/MX/Networks_and_Routing/BGP

 

Althought the above web page says the feature is in "beta" it has been in beta for a very long time, and is used quite a bit (aka it is quite stable).  I personally suspect we will see this feature released for everyone this year.


@PhilipDAth  Hate to necro a thread lol, but now i'm curious

 

I"m using Active-Active (single MX250 in DC1 and another MX250 in DC2) type of setup. Spoke sites have DC1 at the top of the list.


Both MX are advertising 10.0.0.0/8 and participating in OSPF.

The DC1 MX setup with Cost 1 and DC2 MX setup with Cost 2

 

Seems to be working fine so far, and failover worked fine when we did testing. Is that not a good design?

Nolan Herring | nolanwifi.com
TwitterLinkedIn

>Seems to be working fine so far, and failover worked fine when we did testing. Is that not a good design?

 

It workls because your use case is simple.  One of the retarded aspects of the OSPF AutoVPN implementation is that it can only advertise routes, but not receive them.

 

The BGP implementation is a full two way system.  You can make one DC preferred for some routes and not others.  You can more easily integrate with a larger network.

DZA
Conversationalist

Does anyone know if eBGP will still only be available in 1-armed concentrator mode, or if it will also be available in NAT mode moving forward as well?

ciph3r
Getting noticed

I just finished a POC using MX600's, Nexus edge device, and BGP. I'd be happy to answer questions if anyone has them. The lack of documentation on BGP available raised alot of questions for me so I lab'd it.  

 

 

Our support engineer is in the process of enabling the BGP feature. Do you happen to have a diagram on what you lab'd out for the BGP and 2 opf the MX600's?

Barry,

Not any I can post here unfortunately.

The setup was very simple back to the core.

It's 2 MX 600's, 2 Nexus 3k's as edge devices, and we are using BGP->OSPF redistribution. Once the neighbor-ship is up and running routes are exchanged as one would expect. Two templates for hub selection and we were up and operational.

The lab was very easy, however, our production environment is proving to be much more interesting. I'll post back with the final product once its complete.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels