Auto-VPN Hubs - Split Tunnel (Pri Hub) and Full Tunnel (Sec Hub)

henleyjj
Here to help

Auto-VPN Hubs - Split Tunnel (Pri Hub) and Full Tunnel (Sec Hub)

Hello all, I have a hub-to-spoke design that I need to implement for a client where which is somewhat straightforward, however I've never done this design before so would appreciate if anyone could validate.

The client has a requirement to tunnel all publicly destined traffic through their existing internet perimeter firewalls which has IPsec VPN tunnels to a cloud on-ramp web security service.
Therefore my logic is to configure hub as the following priority & settings:

  1. Primary MX hub will be implemented in Split Tunnel mode (greenfield DC CoLo environment)

  2. Secondary MX Hub will be implemented in Full Tunnel mode with "Default Route" option selected (existing HQ Office, also regarded as customers existing DC environment). Secondary MX hub will also need to be in routed mode.

Would this configuration work, so spokes for e.g would transit 10.x.x.x/8 networks via primary hub? And any network traffic destined to public addresses would transit via secondary hub, since the default route option is selected and static routes downstream to core switches/firewall are explicitly configured on secondary hub?

I've based this logic as per documented (from Site-to-Site VPN doco) behavior when Default Route option is selected 

 

HLD_drawio.drawio.pngAlso done up a quick high-level diagram for further detail of proposed setup.

 

 

 

5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal

I have never seen a design like this, but just to remember that:

 

  • Split tunnel (no default route): Send only site-to-site traffic, meaning that if a subnet is at a remote site, the traffic destined for that subnet is sent over the VPN. However, if traffic is destined for a network that is not in the VPN mesh (for example, traffic going to a public web service such as www.google.com), the traffic is not sent over the VPN. Instead, this traffic is routed using another available route, most commonly being sent directly to the Internet from the local MX-Z device. Split tunneling allows for the configuration of multiple hubs.
  • Full tunnel (default route): The configured Exit hub(s) advertise a default route over Auto VPN to the spoke MX-Z device. Traffic destined for subnets that are not reachable through other routes will be sent over VPN to the Exit hub(s). Exit hubs' default routes will be prioritized in descending order.

Concentrator priority

The concentrator priority determines how appliances in Hub (Mesh) mode will reach subnets that are advertised from more than one Meraki VPN peer. Similarly to hub priorities, the uppermost concentrator in the list that meets the following criteria will be used for such a subnet.

 

A) Advertises the subnet

B) Currently reachable via VPN

 

It is important to note that concentrator priorities are used only by appliances in Mesh mode. An appliance in Hub-and-Spoke mode will ignore the concentrator priorities and will use its hub priorities instead.

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Ok understood, I got mixed up with terminology. 
To clarify with proposed hub priority - Site-to-Site VPN settings for spokes on dashboard will look like this

 

1. DC-Hub (no default route selected)

2. HQ-Hub (default route selected)

 

I understand difference between split tunnel and full tunnel, however given what's written in doco regarding behavior when default route is selected and also explicit 0.0.0.0/0 route is configured on HQ-Hub.

My interpretation is that public traffic from spokes will route through via HQ-Hub despite DC-Hub being higher in priority.

 

--------------------------------------------------------------------------------------------------------------------------------------------

Default Route

When configuring Hubs for a Spoke, there is an option to select a hub as being a Default route. If this option is selected, then that hub will be configured as a default route for the Spoke (0.0.0.0/0). Any traffic that is not sent to a configured VPN peer network, static route or local network will be sent to the default route. Multiple hubs can be selected as default routes. Hubs marked as default routes take priority in descending order (first priority at the top).

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings

ww
Kind of a big deal
Kind of a big deal

Yes that would work.

From dc2 you also need to set the static routes (or at least the 0.0.0.0 one) to be part of the vpn. This will automatically also advertise these routes to your spokes

Great, yeah I was planning on making sure the default route is advertised into SD-WAN VPN at HQ office location.

alemabrahao
Kind of a big deal
Kind of a big deal

Take a look at some topologies examples:

 

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.