Dear Community,
I had a question about the Exit Hub option on the MX appliance. I have 2x MX450's, one at each Data Center. Each MX450 is being used as a VPN hub while all of our retail locations are being used as Spokes. One of the Hubs (Hub2) has the "Exit Hub" setting set, pointing to Hub1 as the Exit Hub. However, Hub1 does NOT have the Exit Hub setting set. I have 2 questions about this:
1) What exactly does the Exit Hub setting do? I am reading conflicting information about it online. With Hub1 set as the "Exit Hub" on Hub2, does this mean all VPN traffic coming from a spoke into Hub2 get tunneled to Hub1 for routing/processing?
2) Does setting the "Exit Hub" option force the MX appliance to advertise a default route via OSPF? The reason I ask is because out core switches that are connected to Hub2 are seeing a default route advertised from Hub 2 while the core switches (at the other datacenter) are NOT seeing a default route advertised from Hub1. The only setting that seems to be different that might cause this is the "Exit Hub" setting.
Thank you for your assistance.
Nolan,
We are in Routed mode.
@CLCraddock the exit hub is to receive all traffic from a local traffic MX device on a full tunnel configuration which means all traffic will be tunneled to an exit hub but a more specific (longer prefix) route will take precedence
2. MX does not currently support OSPF routing this can only be used to advertise remote VPN subnents to a core switch and is only supported in VPN concentratore mode
https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings
The exit hub is setting the full tunnel destination for this hub to go to the other data center. This is akin to checking the default route box on a spoke. It's really for smaller deployments where all of the MX are in Hub mode forming a full mesh. It will only show up in routed mode.
For a hub that has spokes connected to it, I would NOT recommend that this box be checked. Depending on your setup you might just be sending traffic from the spoke to the Hub and then to the exit hub. Instead of routing from one hub to another, it would be easier to have the spoke decide which Hub to full tunnel to.
As @CN says, this is usually for when you have a few sites, but want them to mesh.
We have 9 sites, all hubs, two are datacenters
On the other 7 sites we select the primary Datacenter as the first exit hub and the secondary Datacenter as the second exit hub.
What this does, is that all traffic from those seven sites that does not match one of the networks advertised by any of the other hubs, goes to the first exit hub network (MX in primary Datacenter). If that hub is down, the traffic goes to the second exit hub network (MX in secondary Datacenter).
It is in effect two default routes with one only taking over if the other is not reachable.
@CLCraddock yes, that is correct, though you can have multiple, in line and if one isn't responding then it will try the next
@CLCraddock yes the exit hub advertise a default route over Auto vpn to the spoke MX device. Traffic destined for subnets that are not reachable through other routes will be sent over vpn to the exit hub and this exit hub's default routes will be prioritized in descending order.
will the specified "Exit"-Hub also advertise a default-route via Auto-VPN to another "normal" Hub which has the checkbox set automatically? because I´m facing the issue that the default-route is active on the spokes but not on the second hub in the network 😕