Exit Hub and default routing

CLCraddock
Here to help

Exit Hub and default routing

Dear Community,

 

I had a question about the Exit Hub option on the MX appliance. I have 2x MX450's, one at each Data Center. Each MX450 is being used as a VPN hub while all of our retail locations are being used as Spokes. One of the Hubs (Hub2) has the "Exit Hub" setting set, pointing to Hub1 as the Exit Hub. However, Hub1 does NOT have the Exit Hub setting set. I have 2 questions about this:

 

1) What exactly does the Exit Hub setting do? I am reading conflicting information about it online. With Hub1 set as the "Exit Hub" on Hub2, does this mean all VPN traffic coming from a spoke into Hub2 get tunneled to Hub1 for routing/processing?

 

2) Does setting the "Exit Hub" option force the MX appliance to advertise a default route via OSPF? The reason I ask is because out core switches that are connected to Hub2 are seeing a default route advertised from Hub 2 while the core switches (at the other datacenter) are NOT seeing a default route advertised from Hub1. The only setting that seems to be different that might cause this is the "Exit Hub" setting.

 

Thank you for your assistance. 

9 Replies 9
NolanHerring
Kind of a big deal

Hmm I don't see that option on mine. Are you in Routed or Passthrough/VPN-Concentrator mode on the HUB MXs?
Nolan Herring | nolanwifi.com
TwitterLinkedIn

Nolan,

 

We are in Routed mode. 

 

CLCraddock_0-1588353981800.png

 

merakichamp
Building a reputation

@CLCraddock  the exit hub is to receive all traffic from a local traffic MX device on a full tunnel configuration which means all traffic will be tunneled to an exit hub but a more specific (longer prefix) route will take precedence 

 

2. MX does not currently support OSPF routing this can only be used to advertise remote VPN subnents to a core switch and is only supported in VPN concentratore mode 

 

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings

 

CN
Meraki Alumni (Retired)
Meraki Alumni (Retired)

The exit hub is setting the full tunnel destination for this hub to go to the other data center. This is akin to checking the default route box on a spoke. It's really for smaller deployments where all of the MX are in Hub mode forming a full mesh. It will only show up in routed mode. 

 

For a hub that has spokes connected to it, I would NOT recommend that this box be checked. Depending on your setup you might just be sending traffic from the spoke to the Hub and then to the exit hub. Instead of routing from one hub to another, it would be easier to have the spoke decide which Hub to full tunnel to. 

 

cmr
Kind of a big deal
Kind of a big deal

As @CN says, this is usually for when you have a few sites, but want them to mesh.

 

We have 9 sites, all hubs, two are datacenters

 

On the other 7 sites we select the primary Datacenter as the first exit hub and the secondary Datacenter as the second exit hub.

 

What this does, is that all traffic from those seven sites that does not match one of the networks advertised by any of the other hubs, goes to the first exit hub network (MX in primary Datacenter).  If that hub is down, the traffic goes to the second exit hub network (MX in secondary Datacenter).

 

It is in effect two default routes with one only taking over if the other is not reachable.

So the Exit Hub setting acts like a "Default Route" for a hub to send unknown traffic to another hub?
cmr
Kind of a big deal
Kind of a big deal

@CLCraddock yes, that is correct, though you can have multiple, in line and if one isn't responding then it will try the next

merakichamp
Building a reputation

@CLCraddock   yes  the  exit hub advertise a default route over Auto  vpn to the spoke MX device. Traffic destined for subnets that are not reachable through other routes will be sent over vpn to the exit hub  and this  exit hub's default routes will be prioritized in descending order.

 

will the specified "Exit"-Hub also advertise a default-route via Auto-VPN to another "normal" Hub which has the checkbox set automatically? because I´m facing the issue that the default-route is active on the spokes but not on the second hub in the network 😕

Get notified when there are additional replies to this discussion.