AutoVPN: Hub to Hub?

Solved
Miyo360
Getting noticed

AutoVPN: Hub to Hub?

Hi,
 
I have a remote office in Shanghai with a dreadful local internet connection (its a serviced office - nothing I can do about the internet connection). It has an MX64. I have another remote office in Hong Kong, also using an MX64.
 
The AutoVPN was never stable, so a while back I abandoned AutoVPN and instead built a convoluted wireguard VPN solution using Alibaba cloud VPS's (one in Shanghai, one in Hong Kong). The path looked like this...
 
HK MX >> Wireguard appliance >> HK Alibaba VPS (wireguard) >> SH Alibaba VPS (wireguard) >> Wireguard appliance >> SH MX
 
Because the cross-border traffic was using Alibaba's backbone between their datacenters the connection was fast and stable for months. Recently however its not been so good, dropping out etc. I just noticed Meraki's vMX's are now available in Alibaba Cloud so this would seem a good opportunity to simplify the setup and bring all the network components into the Meraki world.
 
But for this to work, I need to make sure the two Alibaba vMX's connect directly to each other, to maintain the path shown above. I cannot have one vMX being a hub and the spokes being my on-prem MX's because traffic it won't traverse the Alibaba backbone and will be subject to China's GFW.
 
So...
TL;DR: Can Meraki do hub to hub AutoVPN, with separate spokes connected to each hub? Can the 'exit hubs' feature be used for this? 
 
Thanks in advance.
1 Accepted Solution
Bruce
Kind of a big deal

Hubs will always connect to other hubs, that is standard Meraki AutoVPN operation. With spokes you can select which hubs they will connect to. The exit hubs should work fine. What you are describing sounds similar to what is often called regional hub-and-spoke in this document, https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

 

I doubt this will assist with some of your issues, which appear to be due to the Great Firewall, but as a concept it should work.

View solution in original post

5 Replies 5
Bruce
Kind of a big deal

Hubs will always connect to other hubs, that is standard Meraki AutoVPN operation. With spokes you can select which hubs they will connect to. The exit hubs should work fine. What you are describing sounds similar to what is often called regional hub-and-spoke in this document, https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

 

I doubt this will assist with some of your issues, which appear to be due to the Great Firewall, but as a concept it should work.

Miyo360
Getting noticed

Excellent Thanks Bruce. 

 

I wasn't aware you could have more than one Hub in an Org, and therefore assumed the only topology available was a hub and spoke setup. Thanks fo the link to the doc, very helpful - not sure why that didn't come up in my google searching.

Miyo360
Getting noticed

Hi,


I now have the trial vMX's setup and running on Alibaba Cloud and part of my Org. However, I'm struggling to get the basic setup working.

 

My current setup is:

draw.io_2021-08-04_17-54-14.png

 





The end goal is this topology:
draw.io_2021-08-04_17-53-18.png

As a side note, I would prefer to keep the London <> Hong Kong Office AutoVPN as it is as latency is good at 210ms. I would prefer to avoid the scenario below, where these sites are both spokes to the HK vMX as this increases latency between these sites.

...would like to avoid this setup, if possible...would like to avoid this setup, if possible

Anyway, back to my point, in the vMX's > Security & SD-WAN > Site-to-Site VPN, it says about adding routes to the upstream router.

2021-08-04_18-01-26.png

I presume this means the Alibaba Cloud VPC. Here, I have created static routes for 192.168.110.0/24 (which is the network the HK Office MX64 is in), next hop = ECS instance (HK vMX)

 

However, with this in place, if I go to the HK Office MX > Appliance Status > Tools > Ping the internal IP of the HK vMX, I get no reply (100% loss).

 

When looking at Organization > VPN Status, I see all sites connected. On the HK vMX, if I run a packet capture on the site-to-site VPN I get nothing at all🤨

 

What am I missing? Thanks in advance.

 

PhilipDAth
Kind of a big deal
Kind of a big deal

I think I would request some free trial VMXs and test it out.  Then you'll know for sure.

https://meraki.cisco.com/form/trial/ 

Miyo360
Getting noticed

Thanks @PhilipDAth . 

 

I have registered my interest in the trail of the two vMXs so look forward to getting that setup and I will update this post when testing is underway.

Get notified when there are additional replies to this discussion.