(FYI) Behavior of Meraki MX when establishing Auto VPN tunnels with Cloud On-Ramp

MyHomeNWLab
A model citizen

(FYI) Behavior of Meraki MX when establishing Auto VPN tunnels with Cloud On-Ramp

Meraki MX changes the behavior of Auto VPN tunnel establishment when Cloud On-Ramp is used.

 

[Related document]

Meraki Umbrella SDWAN Connector Deployment Guide - Cisco Meraki
https://documentation.meraki.com/MX/Meraki_Umbrella_SDWAN_Connector/Deployment_Guide

> Due to the default Meraki Auto-VPN design, all VPN hubs in an organization will automatically tunnel to all other hubs in an organization. This behaviour changes for the Meraki Umbrella SDWAN Connector solution, when the connector hubs are deployed, all other hubs in the organization will not automatically tunnel to SIG and all hub traffic will not be defaulted to Umbrella. The Meraki Umbrella SDWAN Connector network hubs will not automatically tunnel to other hubs in the organization.

 

I contacted support to verify this information in more detail. Therefore, unless I am mistaken in my perception, it should be correct.

I have organized that information and will share it with you.

 

[Notes]

I do not have a Umbrella license, so I have not been able to verify this on the actual device. I only confirmed the MX specifications.

Also, dCloud has several Meraki SASE environments, but they seem to work differently with undocumented features and were not helpful.

 

I have checked the following catalogs.


* SASE-Cisco Meraki Secure Edge - Instant Demo
* Cisco SASE Lab v2

 

So I should say that I was not able to verify the exact default behavior on the actual device.

 

I learned about undocumented features from a Japanese article written by the distributor.

 

https://www.idaten.ne.jp/portal/page/out/secolumn/cisco/meraki/072.html

* Japanese

> ちなみにこのハブ間接続を禁止する設定はサポートへの依頼で解除することも可能ですので、実は要検証という条件付きであればハブ拠点をUmbrellaと接続することも可能です。

 

* Translate to English
Incidentally, this setting that prohibits hub-to-hub connections can be removed by requesting it from support, so it is actually possible to connect hub locations to Umbrella with the condition that verification is required.

 

[Overview]

* Slide with comments

 

01_Overview.jpg

* Slide without comments

 

02_Overview_Without_Comments.jpg

 

[Perspectives on each one]

* Umbrella SIGs do not establish VPN tunnels with each other

 

03.jpg

* When "Umbrella SIG Connector" and "Meraki MX in Hub" are mixed

 

04.jpg

 

* Exit Hubs settings cannot be tunneled to the Umbrella SIG

05.jpg

* "Spoke of MX" that does not tunnel VPN to "Umbrella SIG Connector" can tunnel VPN to "MX of Hub".

06.jpg

 

Thanks to the support staff for their kindness!

 

As a request, I would like the documentation to be detailed so that misunderstandings do not occur.

1 Reply 1
MyHomeNWLab
A model citizen

For reference, I have organized information on the dCloud environment.

 

* Catalog: SASE-Cisco Meraki Secure Edge - Instant Demo

dCloud_Catalog.jpg

 

I am concerned that the MX tunneling to the Umbrella SIG was also tunneling to another MX's Hub.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels