BGP for AutoVPN

FOMOLee
Just browsing

BGP for AutoVPN

Hi everyone,

 

I am new to AutoVPN.

 

In a Hub-and-spoke topology (where my DataCentre MX is Concentrator mode, whereas all my branch office is Spoke mode, I understand that all my branch MX will have form an iBGP neighbour to the Concentrator.

 

Now, what happens if it is fully meshed (i.e. in a MPLS environment where all branch sites can interconnect directly from carrier's MPLS), if i set all branch MXs and DataCentre MX as Hub, does it means that each branch office MX will form a iBGP neighbour with all other MXs (unlike the hub-and-spoke topology where each branch MX will only form one iBGP neighbour with the DataCentre MX).

 

Would be great if someone can confirm my understanding, and greatly appreciated your help.

 

Kind Regards,

Hunt

7 Replies 7
Inderdeep
Kind of a big deal
Kind of a big deal

@FOMOLee : Check the different scenarios below

https://documentation.meraki.com/MX/Networks_and_Routing/BGP 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
PhilipDAth
Kind of a big deal
Kind of a big deal

BGP is not run over AutoVPN.  The cloud constructs the AutoVPN routing table from its knowledge of all sites.

 

You can run BGP between the MX at your DC and something else (such as a L3 switch) but that is the only place BGP is running.

 

The "cloud" has kinda made BGP obsolete for the inside of networks.  It is only needed for edge connectivity now with another system.

Bruce
Kind of a big deal

I wouldn’t be worrying about iBGP running over the AutoVPN or not, the Meraki Cloud takes care of handling all the routing whether it’s BGP based, or traditional. More likely the issue you’ll hit by turning all your spokes into hubs is the number of VPN tunnels you create. The number will potentially exceed what the devices that were originally spokes are capable of, you need to think it through very carefully.

 

In hub mode every interface on a MX will attempt to create a VPN tunnel to every other interface on every other MX in hub mode in the organisation. The only thing that will stop this tunnel creation is if there is no IP path (e.g. from a MPLS network to a internet connected WAN interface). This is discussed in here, https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/....

 

FOMOLee
Just browsing

Hi all,

 

So you guys are saying I don't need to run any BGP nor routing protocol from the spoke sites back to the Hub (at DC)?

 

If that's the case, how does the Central Hub MX learns all the spoke local subnets? and vice versa (how does the spoke MXs learns the rest of my organization network that is outside (not using Meraki MX)?

 

Kind Regards,

Hunt

Ryan_Miles
Meraki Employee
Meraki Employee

When you enable BGP under site to site VPN page it activates BGP on all MX's. Hubs (in concentrator mode) use EBGP to peer with router(s) in your core/DC/whatever you call it. IBGP runs between the hub(s) and spokes. The entire Meraki hub & spoke topology is the Meraki AS. The hub(s) will EBGP peer with routers in another AS number. It's articulated pretty well here: https://documentation.meraki.com/MX/Networks_and_Routing/BGP#Scenario_3:_Datacenter_Redundancy_(DC-D....

 

Without BGP hubs would use the Local Networks config section to enter one or more static routes essentially and those are sent down to spokes. Spoke routes are learned by the VPN registry and populated into the hubs routing table. So, without BGP all hub & spoke routing learning is basically done by the registry.

 

OSPF can also be used on the hub. The specific use case there is to take the spoke learned routes on the hub and advertise it to a OSPF neighbor in your core.

 

BGP is far more scalable and controllable than OSPF and works vastly better in a multi hub environment.

 

Now as for going full mesh. Yes, you need to be aware of how many tunnels each MX would create and will that exceed the limit per the MX sizing guide. Also, BGP is only supported in concentrator mode. I assume your branch sites need the MX in NAT mode as a edge fw/router? Lastly, are you deriving any benefit by going full mesh vs. hub & spoke?

 

MX's can form tunnels over the private WAN as long as there's IP reachability and internet reachability. Also, the private WAN interfaces of the MX's need to NAT to the internet via the same IP. That allows the MX's to form tunnels on the private IP and not public/NAT IP.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
rhbirkelund
Kind of a big deal
Kind of a big deal

I've been trying to get my hands on a couple of used MX'es just to be able to mess around a bit with BGP the Meraki Way.
I noticed the same paragragh, that when enabling BGP, you'd be able to do iBGP over VPN, instead of using AutoVPN, and having the Meraki Cloud to organise the routes.

What are the advantages and disadvantages of using iBGP between the Hub and Spokes, rather than using traditional AutoVPN?
I have a deployment of Meraki SDWAN, that is still ongoing, where my trigger-finger is itching to enable iBGP, and a private BGP AS 65000 - just to see what happens.
LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
Ryan_Miles
Meraki Employee
Meraki Employee

one key benefit of the bgp implementation is routes that drop from the hub will also get dropped from the spokes. in traditional autovpn the routes are more or less static routes. and when a route is down/unreachable it won't be pulled out of the spokes route table.

 

i'd recommend hitting up your local meraki tsa to get into the nuts and bolts all this all.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels