Hi everyone,
I am new to AutoVPN.
In a Hub-and-spoke topology (where my DataCentre MX is Concentrator mode, whereas all my branch office is Spoke mode, I understand that all my branch MX will have form an iBGP neighbour to the Concentrator.
Now, what happens if it is fully meshed (i.e. in a MPLS environment where all branch sites can interconnect directly from carrier's MPLS), if i set all branch MXs and DataCentre MX as Hub, does it means that each branch office MX will form a iBGP neighbour with all other MXs (unlike the hub-and-spoke topology where each branch MX will only form one iBGP neighbour with the DataCentre MX).
Would be great if someone can confirm my understanding, and greatly appreciated your help.
Kind Regards,
Hunt
@FOMOLee : Check the different scenarios below
https://documentation.meraki.com/MX/Networks_and_Routing/BGP
BGP is not run over AutoVPN. The cloud constructs the AutoVPN routing table from its knowledge of all sites.
You can run BGP between the MX at your DC and something else (such as a L3 switch) but that is the only place BGP is running.
The "cloud" has kinda made BGP obsolete for the inside of networks. It is only needed for edge connectivity now with another system.
I wouldn’t be worrying about iBGP running over the AutoVPN or not, the Meraki Cloud takes care of handling all the routing whether it’s BGP based, or traditional. More likely the issue you’ll hit by turning all your spokes into hubs is the number of VPN tunnels you create. The number will potentially exceed what the devices that were originally spokes are capable of, you need to think it through very carefully.
In hub mode every interface on a MX will attempt to create a VPN tunnel to every other interface on every other MX in hub mode in the organisation. The only thing that will stop this tunnel creation is if there is no IP path (e.g. from a MPLS network to a internet connected WAN interface). This is discussed in here, https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/....
Hi all,
So you guys are saying I don't need to run any BGP nor routing protocol from the spoke sites back to the Hub (at DC)?
If that's the case, how does the Central Hub MX learns all the spoke local subnets? and vice versa (how does the spoke MXs learns the rest of my organization network that is outside (not using Meraki MX)?
Kind Regards,
Hunt
When you enable BGP under site to site VPN page it activates BGP on all MX's. Hubs (in concentrator mode) use EBGP to peer with router(s) in your core/DC/whatever you call it. IBGP runs between the hub(s) and spokes. The entire Meraki hub & spoke topology is the Meraki AS. The hub(s) will EBGP peer with routers in another AS number. It's articulated pretty well here: https://documentation.meraki.com/MX/Networks_and_Routing/BGP#Scenario_3:_Datacenter_Redundancy_(DC-D....
Without BGP hubs would use the Local Networks config section to enter one or more static routes essentially and those are sent down to spokes. Spoke routes are learned by the VPN registry and populated into the hubs routing table. So, without BGP all hub & spoke routing learning is basically done by the registry.
OSPF can also be used on the hub. The specific use case there is to take the spoke learned routes on the hub and advertise it to a OSPF neighbor in your core.
BGP is far more scalable and controllable than OSPF and works vastly better in a multi hub environment.
Now as for going full mesh. Yes, you need to be aware of how many tunnels each MX would create and will that exceed the limit per the MX sizing guide. Also, BGP is only supported in concentrator mode. I assume your branch sites need the MX in NAT mode as a edge fw/router? Lastly, are you deriving any benefit by going full mesh vs. hub & spoke?
MX's can form tunnels over the private WAN as long as there's IP reachability and internet reachability. Also, the private WAN interfaces of the MX's need to NAT to the internet via the same IP. That allows the MX's to form tunnels on the private IP and not public/NAT IP.
one key benefit of the bgp implementation is routes that drop from the hub will also get dropped from the spokes. in traditional autovpn the routes are more or less static routes. and when a route is down/unreachable it won't be pulled out of the spokes route table.
i'd recommend hitting up your local meraki tsa to get into the nuts and bolts all this all.