Hello all, I have a hub-to-spoke design that I need to implement for a client where which is somewhat straightforward, however I've never done this design before so would appreciate if anyone could validate.
The client has a requirement to tunnel all publicly destined traffic through their existing internet perimeter firewalls which has IPsec VPN tunnels to a cloud on-ramp web security service.
Therefore my logic is to configure hub as the following priority & settings:
Primary MX hub will be implemented in Split Tunnel mode (greenfield DC CoLo environment)
Secondary MX Hub will be implemented in Full Tunnel mode with "Default Route" option selected (existing HQ Office, also regarded as customers existing DC environment). Secondary MX hub will also need to be in routed mode.
Would this configuration work, so spokes for e.g would transit 10.x.x.x/8 networks via primary hub? And any network traffic destined to public addresses would transit via secondary hub, since the default route option is selected and static routes downstream to core switches/firewall are explicitly configured on secondary hub?
I've based this logic as per documented (from Site-to-Site VPN doco) behavior when Default Route option is selected
Also done up a quick high-level diagram for further detail of proposed setup.
I have never seen a design like this, but just to remember that:
The concentrator priority determines how appliances in Hub (Mesh) mode will reach subnets that are advertised from more than one Meraki VPN peer. Similarly to hub priorities, the uppermost concentrator in the list that meets the following criteria will be used for such a subnet.
A) Advertises the subnet
B) Currently reachable via VPN
It is important to note that concentrator priorities are used only by appliances in Mesh mode. An appliance in Hub-and-Spoke mode will ignore the concentrator priorities and will use its hub priorities instead.
Ok understood, I got mixed up with terminology.
To clarify with proposed hub priority - Site-to-Site VPN settings for spokes on dashboard will look like this
1. DC-Hub (no default route selected)
2. HQ-Hub (default route selected)
I understand difference between split tunnel and full tunnel, however given what's written in doco regarding behavior when default route is selected and also explicit 0.0.0.0/0 route is configured on HQ-Hub.
My interpretation is that public traffic from spokes will route through via HQ-Hub despite DC-Hub being higher in priority.
--------------------------------------------------------------------------------------------------------------------------------------------
Default Route
When configuring Hubs for a Spoke, there is an option to select a hub as being a Default route. If this option is selected, then that hub will be configured as a default route for the Spoke (0.0.0.0/0). Any traffic that is not sent to a configured VPN peer network, static route or local network will be sent to the default route. Multiple hubs can be selected as default routes. Hubs marked as default routes take priority in descending order (first priority at the top).
https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings
Yes that would work.
From dc2 you also need to set the static routes (or at least the 0.0.0.0 one) to be part of the vpn. This will automatically also advertise these routes to your spokes
Great, yeah I was planning on making sure the default route is advertised into SD-WAN VPN at HQ office location.
Take a look at some topologies examples: