Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Default Route on Mx (Auto-VPN)

Solved
JpAlvesCroce22
Here to help
12 hours ago
12 hours ago

Default Route on Mx (Auto-VPN)

Hello everyone, how are you?
To put it in context, I'm taking over the management of a new organization and we don't have much communication with the previous administrators.

I'm checking the routing and they have deployed something that catches my attention and I think it's misapplied.

 

The scenario consists of a central site as a hub and 50 locations as spokes.
Full tunnel is applied through Auto-VPN, but the central site also announces the default route 0.0.0.0/0 to the spokes of the organization.

 

So in the routing table I have three entries 0.0.0.0/0 and two correspond to "Meraki VPN:Static Route"

 

The question is... if I eliminate the route 0.0.0.0/0 that is announced from the central site and leave only the "IPv4 default route" Checkbox enabled, shouldn't it be affected since they do the same thing?

Labels:
0 Kudos
Subscribe
1 Accepted Solution
In response to JpAlvesCroce22
Ryan_Miles
Meraki Employee
Meraki Employee
10 hours ago
10 hours ago

This config is typically done to send spoke traffic to another egress point like another firewall. For example internet bound traffic from a spoke going over the full tunnel to the routed mode hub will enter the hub then be sent out the hub's default gateway (WAN interface).

 

I've seen instances in which the requirement is to not exit right back out of the hub's WAN port, but rather send to another firewall to do whatever inspection, rules, etc. And in such cases that's when the 0/0 LAN side route is needed on the hub.

 

But when that is the requirement I think there's a serious question that need to be asked of why use routed mode and not concentrator mode.

Ryan / SE - Networking

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

Subscribe
5 Replies 5
ww
Kind of a big deal
Kind of a big deal
11 hours ago
11 hours ago

Is your hub a routed mode location with a default route to the lan side?

 

Or is your hub a one armed  concentrator?

0 Kudos
Subscribe
In response to ww
JpAlvesCroce22
Here to help
10 hours ago
10 hours ago

The hub is configured in router mode, effectively with a default route pointing to the LAN (Browsing Firewall)

0 Kudos
Subscribe
In response to JpAlvesCroce22
Ryan_Miles
Meraki Employee
Meraki Employee
10 hours ago
10 hours ago

This config is typically done to send spoke traffic to another egress point like another firewall. For example internet bound traffic from a spoke going over the full tunnel to the routed mode hub will enter the hub then be sent out the hub's default gateway (WAN interface).

 

I've seen instances in which the requirement is to not exit right back out of the hub's WAN port, but rather send to another firewall to do whatever inspection, rules, etc. And in such cases that's when the 0/0 LAN side route is needed on the hub.

 

But when that is the requirement I think there's a serious question that need to be asked of why use routed mode and not concentrator mode.

Ryan / SE - Networking

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Subscribe
In response to Ryan_Miles
JpAlvesCroce22
Here to help
10 hours ago
10 hours ago

Thanks for the reply @Ryan_Miles .
Perfect, then we can say that to carry the default traffic (0.0.0.0./0) to another Firewall device that is on the same LAN as our Hub, it is necessary to have the propagated route 0.0.0.0/0 via the navigation Firewall.

 

Would it be necessary to propagate it through the auto-vpn?

0 Kudos
Subscribe
In response to JpAlvesCroce22
Ryan_Miles
Meraki Employee
Meraki Employee
9 hours ago
9 hours ago

Yes it would be required to be enabled within the VPN config.

Ryan / SE - Networking

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.