Global and China AutoVPN interconnect - a recipe for success

rhbirkelund
Kind of a big deal
Kind of a big deal

Global and China AutoVPN interconnect - a recipe for success

Let us set the stage here.

 

"MAMAs Spaghetti", a globally renowned company dealing with italian inspired produces, has after a long procurement phase merged with "Chow Mein Noodles" based in China to form a global pasta empire. Seeing as the two companies are both using Meraki, merging networks should be easily enough.

Now, due to certain local government regulations, "Chow Mein Noodles" use the chinese based Meraki Dashboard, while "MAMAs Spaghetti", uses the rest-of-world Meraki Dashboard. Both companies repseoctive IT departments, have gone through the long haul of aligning eachothers IP plans. But how do they bridge the two networks? This poses as a challenge for the two companies IT-departments who are tasked with integrating their respective networks with eachother as part of the merger.

 

So how can we interconnect the two Meraki AutoVPN fabrics? While there may be many ways to achieve this, is to use what is called a Gateway MX. This is a Meraki MX physically placed in what is to become the main headquarters datacenter, but is logically configured from the chinese Meraki Dashboard.

rhbirkelund_0-1718802988998.png

In this way, we have the China Gateway MX configured as a One-Armed Concentrator, and the Headquarter MX in Routed Mode as an Edge Firewall. The China Gateway MX uses AutoVPN to connect to its connected Spokes, and announced local networks in HQ to them. All the CHina Branches learn from the Gateway that Headquarter subnets are reachable from the Gateway MX.

rhbirkelund_1-1718803259291.png

On the Headquater side, their IT department simply has to create routes for each branch in China, via the Gateway MX.

 

Now since the merger, business has been good for Chow Mein Noodles, and they are opening new branches everywhere in China, expanding very quickly. The HQ IT department is struggling to manage all their static routes to each branch.

 

This is where we can use BGP.

 

From MX18.2, BGP and especially eBGP has become supported in Meraki, and this gives some simpllicity back to the IT departments. What can be done, is to assigned each AutoVPN fabric an iBGP AS, and this the eBGP neighboring to have the HQ MX and Gateway MX exchange networks.

Basically, the IT departments would be setting up their networks like this

rhbirkelund_10-1718805095580.png

 

Assign "MAMAs Spaghetti" to AS 65100, and "Chow Mein Noodles" to AS 65200. 

rhbirkelund_4-1718803936219.pngrhbirkelund_5-1718803979596.png

 

Just by assiging AS numbers, AutoVPN now uses iBGP to exchange route information all across the AutoVPN fabric. But both fabrics are still disconnected from eachother.

Next both IT departments assign a subnet for BGP peering, and fabric transits. In this examples the Lead Architect at MAMAs Spaghetti chose her favorite subnet, 100.64.0.0/30, and assigned .1 to MAMAs and .2 to Chow Main. 

So now they have this

rhbirkelund_6-1718804191624.png

For MAMAs and Chow Mein to exchange route information, eBGP needs to be configured, with remote AS neighboring. Since the HQ MX at MAMAs Spaghetti uses Routed Mode, a Source Interface for BGP needs to be set. In this case, it's the BGP transit vlan created  earlier.

rhbirkelund_7-1718804536917.png

The Gateway MX to Chow Mein is just in Concentrator mode, so the concept of VLANs is non-existent to it. eBGP is simply configured as such

rhbirkelund_8-1718804643375.png

 

Press Save, and BGP is running.

Let's verify by looking at the route table.

Chow Mein Gateway learned of 10.1.1.0/24, 10.1.2.0/24 and 10.1.3.0/24, which are subnets at MAMAs HQ network. These are learned from eBGP.

rhbirkelund_13-1718806402575.png

Also, it has 172.16.0.0/24, which is the Chow Mein Noodles Branch site subnet. This is learned from the MX via iBGP.

 

On the HQ MX at MAMAs we find both the BGP transit (as it is a local VLAN) but also the Chow Mein Branch site, learned from eBGP.

rhbirkelund_12-1718805931332.png

 

And on the Chow Mein Noodles Branch, we have MAMAs corporate subnets

rhbirkelund_14-1718806628154.png

Even though, these are not announced as Local Subnets on the Gateway MX.

rhbirkelund_15-1718806671586.png

If we enable another VLAN on HQ MX, to be in the VPN, we should now see 10.1.100.0/24 in the route table at Chow Mein Branch.

rhbirkelund_16-1718806775594.png

Which we now do.

 

A packet capture on MAMAs Spaghetti's HQ MX LAN, shows the BGP keepalive messaging as well.

rhbirkelund_17-1718807364694.png

 

Can MAMAs Spaghetti Ping Chow Mein Branch? Yes, yes they can.

rhbirkelund_18-1718807483514.png

And the other way around

rhbirkelund_19-1718807547435.png

 

 

So what have the IT departments at MAMAs Spaghetti and Chow Mein Noodles achieved? Using BGP to dynamically update routing information across to fabrics, the HQ simply has to create a new network on their MX, and enable is for VPN. Also, Chow Mein Noodles, and open and close new branch stores, quickly.

After that, the MX automagically propagates it throughout the both AutoVPN fabrics, without having to manually maintain static routing information.

 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
3 Replies 3
ConnorL
Meraki Employee
Meraki Employee

Neat project! Thanks for sharing @rhbirkelund 

PhilipDAth
Kind of a big deal
Kind of a big deal

Great article and nice and detailed.

cmr
Kind of a big deal
Kind of a big deal

Excellent simple solution to a problem that looked horrendous!

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels