Advertising Static route in vpn

SOLVED
leadtheway
Building a reputation

Advertising Static route in vpn

So have about 8 sites running either mx84 or 100.  Theres a 3rd party that runs special software that creates a VPN with their hardware to allow machines to print from that software.  To accomplish that they just have an inside interface on our side and i setup a route in the mx to send software for that traffic to that Inside IP and they  forward through the vpn.  Problem I have at one site is it doesn't have that 3rd party hardware and needs to use one of the other sites.  I can't put the route in because next hop would be invalid.  Is there a trick with advertising the route created at another site or another way to do it?

1 ACCEPTED SOLUTION
BrechtSchamp
Kind of a big deal

The first requirement is to have Meraki AutoVPN enabled in all your sites.

 

Then in Security & SD-WAN > Site-to-site VPN of the network where you have setup the static route, you will see that destination subnet listed in the Local Networks.

 

2019-03-25 16_30_11-Greenshot.png

 

When you change the dropdown from "no" to "yes" for that entry, it will be announced inside the AutoVPN network. Now your other sites will be able to use the static route going through Meraki AutoVPN.

 

 

View solution in original post

9 REPLIES 9
ww
Kind of a big deal
Kind of a big deal

go to the static route and select (in vpn)

leadtheway
Building a reputation

how would i do that?  So at a site I want to use i check in vpn, but what needs to be done at the other site?  and what happens at the other sites that already have a static route becuase they have the 3rd party equipment onsite?

BrechtSchamp
Kind of a big deal

The first requirement is to have Meraki AutoVPN enabled in all your sites.

 

Then in Security & SD-WAN > Site-to-site VPN of the network where you have setup the static route, you will see that destination subnet listed in the Local Networks.

 

2019-03-25 16_30_11-Greenshot.png

 

When you change the dropdown from "no" to "yes" for that entry, it will be announced inside the AutoVPN network. Now your other sites will be able to use the static route going through Meraki AutoVPN.

 

 

leadtheway
Building a reputation

not sure I'm following.  I do use autovpn in mesh.  I am advertising the subnet for the data vlan (which is where the 3rd party inside interface sits as well)  i talk to other devices from the other site to that one (and all others) with no issue.  But i need to be able to route specific traffic out one site only the this particular location as they share the same vendor.  I've enabled advertisement of that route in vpn.  Not sure what i need to do on the other site to make sure it can use it

leadtheway
Building a reputation

so after advertising it appears that route is in the other side route table. So thats all that needs to be done then?  

Yes.

 

Let's say in one of the sites you have a static route pointing to 172.18.0.0/24 with the gateway set to 10.8.44.25.

 

In that list I showed you there should then be a 172.18.0.0/24 entry for that specific site. If the dropdown is set to yes, then all your sites should be able to use that route. If they have their own direct route over the local hardware it will be preferred due to the route preferences in the MX, refer to the link @ww shared.

leadtheway
Building a reputation

I think what threw me was you saying drop down.. I see drop downs for the subnet advertisement, but the route was just a check box on the route config page.  Thanks!

Hello!

 

What is the difference between setting the route here under Security & SD-WAN > Site-to-site VPN > Local Networks to YES under 'Use VPN' and ticking the box 'In VPN' from creating a static route under Addressing & VLANs? 

 

https://documentation.meraki.com/MX/Networks_and_Routing/MX_Addressing_and_VLANs

 

  • In VPN: Determines whether the MX advertises this static route to site-to-site VPN peers.

Thank you!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels