Fail over with Non-Meraki peers (but both are MX)

Here to help

Fail over with Non-Meraki peers (but both are MX)

Is there a way to setup fail over capabilities between different organizations?


We own several companies that we need to keep on their own organization in case we sell them so we currently have VPN tunnels setup between the Corporate MX device to the MX devices in the different orgs as Non-Meraki peers.  We are putting in additional redundant internet services at each company and would like to configure redundant VPN tunnels between the corporate office and the individual divisions but it does not look like the Non-Meraki peers will support this since the connections are by IP address.


I was hoping I could configure the VPN tunnel to connect with the Meraki Dynamic Host Name, but it does not appear to be an option.  Any suggestions other than merging everyone into the same org?

Kind of a big deal

I'll give you two solutions.


The first is to use back to back MX's.




Org1 has two MXs, MX1 and MX2.  MX1 is in their main DC.  MX1 is the main AutoVPN hub for Org1.


Org2-MX3 is sitting in the main DC for Org2.  MX3 is the main hub for Org3.  Org1-MX2 and Org2-MX3 are both sitting right beside each other in the same rack.


Org1-MX1 and Org1-MX2 use AutoVPN between themsevles.  Org1-MX2 has a static supernet route pointing to Org2-MX3.  This static route gets redistributed into Org1 AutoVPN.


Org2-MX3 has a static supernet route pointing to Org1-MX2 which it redistributes into its own Org via AutoVPN.


Org1-MX2 and Org2-MX3 plug into each other using a plain patch cable.


You could also use BGP between MX2 and MX3 if they are both using VPN Concentartor mode.


You can use this approach to connect all of the divisions back to the mothership.


Note when sizing MX's for VPN Concentrator mode only pay attention to the number of VPN peers supported and the crypto throughput.  Ignore all the other numbers.



Another similar approach is to specify that a specific DC will be a transit site.  Every org puts an MX into this transit site.  Their is a single subnet that all the MX's connect to, and they could all run BGP between themselves (or you could use static routing).  You could also call this a peering point or a peering exchange.



The second solution is to put everything into a single org.  If you ever sell a division you simply request an Org Split with support.  Its a relatively simple procedure.



Using non-Meraki VPNs to join divisions together is painfull.  It would only work on a very small scale.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.