Bridging AutoVPN with Cisco DMVPN

SOLVED
RichardChen1
Getting noticed

Bridging AutoVPN with Cisco DMVPN

Hi Everyone,

 

Need everyone's feedback on the best way to have autovpn route redistributed to dmvpn and vice versa.

  • Static route?
  • BGP?
  • OSPF?
  • Any other recommendations?
  • What about the Peplink site to site vpn?

 

The project is to replace all Cisco ISR (Internet termination and DMVPN) with Meraki MX (autovpn and dual uplink)

 

Interim solutionInterim solution

 

As per above diagram, the interim solution is put a MX as vpn concentration mode in DMVPN HUB site. I have setup static route on HQ 2900 for HQ LAN subnets to be able reach all MX site's LAN via Autovpn.

 

The next step is to use HQ 2900 as a bridge to have DMVPN sites to learn all Autovpn routes and vice versa.

EIGRP is currently used in all DMVPN sites.

 

Not sure the best way for above to work.

 

Static route:

DMVPN to AutoVPN:

- put next hop of the MX LAN subnet to the DMVPN HUB tunnel IP address?

AutoVPN to DMVPN:

- create static route on MX: next hop of DMVPN LAN subnet point to VPN concentrator LAN IP

- create static route on VPN concentroator: for DMVPN LAN point to HQ2900 LAN internet IP (optional as there is already a default route?)

 

BGP:

- Enable BGP on bewteen HQ 2900 and VPN concentrator?

- Redistribute EIGRP with BGP bewteen HQ 2900 and VPN concentrator?

https://documentation.meraki.com/MX/Networks_and_Routing/BGP - which scenario does this fit in this guide?

- Will MX learn received route and also advertise all autovpn route?

 

OSPF:

- Enable OSPF on bewteen HQ 2900 and VPN concentrator?

- Redistribute EIGRP with OSFP bewteen HQ 2900 and VPN concentrator?

- As per https://documentation.meraki.com/MX/Site-to-site_VPN/Using_OSPF_to_Advertise_Remote_VPN_Subnets An MX VPN concentrator with OSPF route advertisement enabled will only advertise routes via OSPF; it will not learn OSPF routes???

Also

https://www.willette.works/merging-meraki-vpns/

Non-Meraki VPN routes are not advertised to AutoVPN peers.

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

Note that with OSPF it is not two way distribution on the MX side.  It can only advertise AutoVPN routes.  I wont listen to anything you send it.

 

BGP is full two way routing.

 

If you can do it with a smallish number of static routes (consider using larger summary routes), I would use that approach.  My second choice would be BGP.

View solution in original post

6 REPLIES 6
PhilipDAth
Kind of a big deal
Kind of a big deal

Note that with OSPF it is not two way distribution on the MX side.  It can only advertise AutoVPN routes.  I wont listen to anything you send it.

 

BGP is full two way routing.

 

If you can do it with a smallish number of static routes (consider using larger summary routes), I would use that approach.  My second choice would be BGP.

Hi Phillip,

 

I was able to redistribute static route to DMVPN/EIGRP. However, I was unable to find out the option on MX to create static route destine to DMVPN subnet to the next hop.

In my case the next hop is the HQ MX vpn concentrator. If I apply the next hop as the local MX GW it will not work.

 

Any suggestion?

Does this mean I need to setup BGP on HUB MX, spoke MX and DMVPN HQ router?

Can you Bridge AutoVPN with Cisco DMVPN with the MX at the hub in routed mode (with static routes and about 40 spokes)? We intend to have 2 MX's for HA at the hub site that will bridge to the DMVPN. 

Bruce
Kind of a big deal

You can’t use MX in a DMVPN solution or vice-versa, the ways they establish their secure tunnels (the key exchange) is different. What you’d need to do is have the MX hub connected to a Cisco router using DMVPN at the hub - so you essentially have a MX network and a separate DMVPN network with a LAN connecting them at the head-end, that’s about the best you can do.

 

If you’re doing a migration consider using BGP on the MXs so that routes dynamically move from one system to the other as you migrate sites/spokes.

We have an existing DMVPN and the routers are all Cisco. I know the MX's do not support DMVPN but I was merely trying to make it clear that the MX's in the hub site will be the gateway to the DMVPN network from the Auto VPN mesh through a static route on the internal vlan interface of the MX's. So can the MX's in the hub site  be configured in routed mode in this scenario? 

Bruce
Kind of a big deal

That depends on the WAN circuits you are using. Really the only requirement is for each WAN port that you are using on the hub to be able to access the Meraki registry (essentially the internet) - so if you have direct internet connections then you will be fine, or if you're using an MPLS network that provides NATed internet access then you will be fine, for both these or a combination of them you should be able to run the MX in routed mode.

 

Generally one arm concentrator is only a necessity if you want to do dynamic routing, have multiple DCs providing access to the same subnets, or if you need to provide the internet access from an MPLS network - although that's not a prescriptive list.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels