Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Help needed to advertise remote vpn route to branches

Khairil
Here to help
‎Sep 12 2022 1:39 AM
‎Sep 12 2022 1:39 AM

Help needed to advertise remote vpn route to branches

Hi guys, I've a situation here for one of our customers site. The situation is like this.

 

sites situation: HQ (1 MX84 and 1 MS120) and 8 Branches (each has 1 MX68 and 1 MS120) with each sites using ip subnet in 172.16.X.X range. All sites is in mesh vpn to each other.

 

HQ MX is in routed mode (multiple vlans interface configured on MX) due to only using layer2 switch (MS120)

 

HQ MX have non-meraki-vpn connection to AWS cloud for user servers (remote subnet 10.0.0.0/8). I need to configure so that branches can reach AWS cloud through HQ MX.

 

I've read on documentation, "Please note if MX devices in Routed mode only support OSPF on firmware versions 13.4+, with VLANs disabled. OSPF is otherwise supported when the MX is in passthrough mode on any available firmware version. This can be set under Security & SD-WAN > Configure > Addressing & VLANs. "

 

How can i advertise remote subnet 10.0.0.0/8 to branches because I cant enable OSPF here at HQ MX due restriction above? I cant disable the vlans there at HQ. Was there other alternative method to make sure branches can reach AWS cloud servers through HQ MX.

 

Thanks in advance.

 

 

Labels:
0 Kudos
Subscribe
8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal
‎Sep 12 2022 4:13 AM
‎Sep 12 2022 4:13 AM

Have you tried to create a source-based route?

 

alemabrahao_0-1662981218479.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Khairil
Here to help
‎Sep 12 2022 6:18 AM
‎Sep 12 2022 6:18 AM

Hi, cant do this because what i want is route  towards 10.0.0.0/8 only to go thru HQ MX, not as default route

0 Kudos
Subscribe
In response to Khairil
alemabrahao
Kind of a big deal
Kind of a big deal
‎Sep 12 2022 6:27 AM
‎Sep 12 2022 6:27 AM

In this case, I think you have tow possible solutions. Like @ww said you have to configure non-meraki-vpn with every branch to that destination, or you can configure S2S in your HQ with another system (like a Linux for example), create a static route and advertise on auto VPN.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
ww
Kind of a big deal
Kind of a big deal
‎Sep 12 2022 6:11 AM
‎Sep 12 2022 6:11 AM

You cant access  non-meraki-vpn routes through other locations autovpn.  Every branch need a non-meraki-vpn to that destination .

 

if you want the route to be available through HQ you need another device behind the HQ mx and let that device build the AWS tunnel. then make a static route from mx to that device for aws routes. and advertise that static route in the autovpn

Subscribe
In response to ww
Khairil
Here to help
‎Sep 12 2022 8:21 PM
‎Sep 12 2022 8:21 PM

I will try the 2nd option and see whether this work well

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 12 2022 12:48 PM
‎Sep 12 2022 12:48 PM

@ww is right.  The simplest solution would be to get a VMX-S.

https://meraki.cisco.com/product/security-sd-wan/virtual-appliances/vmx-small/ 

Subscribe
In response to PhilipDAth
Khairil
Here to help
‎Sep 12 2022 8:22 PM
‎Sep 12 2022 8:22 PM

Thanks for your reply, unfortunately customer dont want to purchase this

0 Kudos
Subscribe
In response to Khairil
GreenMan
Meraki Employee
Meraki Employee
‎Sep 13 2022 3:56 AM
‎Sep 13 2022 3:56 AM

@PhilipDAth is spot-on;   using VMX in AWS is so much more powerful, I would have thought the extra cost would be small, in comparison.

 

Also worth including in the thread;   here's the story on hairpinning AutoVPN to non-Meraki VPN through a common Hub:   https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior#AutoVPN_and_Non-Meraki_...

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.