cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Advertising networks to 5 remote sites via Site to site VPN

Highlighted
Conversationalist

Advertising networks to 5 remote sites via Site to site VPN

Hello fellow Merkai Nerds,

 

We need some help.. Here is our scenario:

 

We currently have 2 Meraki MX250 devices running as hubs. We would like to create a second link to have a redundant path for network traffic if the primary hub was to loose connectivity (Power outage, loss of carrier service).

 

Hub 1 in on network 172.18.100.0/24 and advertises networks

- 10.0.0.0/8

- 172.16.0.0/12

- 192.168.0.0/16

- 203.14.116.0/23

 

We have 2 major site that run on networks 10.10.0.0/16 and 172.18.0.0/16. These sites are currently connected via a dark fibre network and using BGP to connect the 2 sites via another link.

 

Our VPN sites are on the network 10.10.210.0/28 using VLSM for these sites as we only require 14 hosts per site.

 

We have a second hub that is network 10.10.100.0/24.

 

When attempt to advertise the above networks via the second up, we create a routing loops. We have tried via OSPF with 2 areas, with the second are at a higher costing, but this still does not work.

 

What we are after is a second (redundant) path for these VPN devices to connect to the network if the primary site was to loose connectivity. Does anyone have a suggestion?

 

Thank you for your help..

 

7 REPLIES 7
Highlighted
Kind of a big deal

Re: Advertising networks to 5 remote sites via Site to site VPN

This is the main reason I deploy hubs in NAT mode.  It allows you to plug in dual circuits AND use SD-WAN.  VPN concentrator mode makes this impossible.

 

You would use the second hub in warm spare mode.

Highlighted
Conversationalist

Re: Advertising networks to 5 remote sites via Site to site VPN

Thank you PhilipDAth,

 

Can you please give me an example of how you have set this up in your environment?

Highlighted
Kind of a big deal

Re: Advertising networks to 5 remote sites via Site to site VPN

Lets say you have a DC.  You plug WAN1 of each MX into the DC's Internet connection (this is usually an HA Internet connection).

 

I normally get a cheap domestic Internet circuit via a different carrier, and plug the two WAN2 interfaces into that.

 

Often you have a layer 3 switch.  You plug the inside of each MX into that switch.  You add L3 routes on the switch for the branches via the MX cluster.

Highlighted
Conversationalist

Re: Advertising networks to 5 remote sites via Site to site VPN

DanielWeedon23_0-1582605185354.png

Hi PhilipDAth, here is a diagram of how things are currently connected and how we are trying to set up the secondary path.. Does this make sense?

Highlighted
Conversationalist

Re: Advertising networks to 5 remote sites via Site to site VPN

DanielWeedon23_0-1582605328468.png

DanielWeedon23_1-1582605362191.png

DanielWeedon23_0-1582605510911.png

 

 

Here are some screenshots of Hub 1

Highlighted
Kind of a big deal

Re: Advertising networks to 5 remote sites via Site to site VPN

>Hi PhilipDAth, here is a diagram of how things are currently connected and how we are trying to set up the secondary path..

 

The two sites are not layer 2 adjacent, so that limits the options.  You'll need to run both MX's active/active and use BGP between them and the network core at each site.

Conversationalist

Re: Advertising networks to 5 remote sites via Site to site VPN

Hi PhilipDAth,

 

I should mention that we use other NBN connections (Soon to be direct fibre via ISP) for internet on both sides of the network. The NBN connections in the diagram are ONLY for the VPN traffic.

 

I should also mention that there are two layer 2 tunnels between the sites so both sites are able to see networks 172.18.x.x and 10.10.x.x hence the primary MX devices advertising those networks.

 

Would I still require both MX devices to run BGP for this to work?

 

Kind Regards,

 

Daniel 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.