Meraki

Community

Hub-spoke Topology VPN tunnel

Alan1
Here to help
‎Oct 17 2021 8:55 PM
‎Oct 17 2021 8:55 PM

Hub-spoke Topology VPN tunnel

Hi All,

 

my question is I have hub and spoke topology for 400 branches, vMX-Meduim-Azure, the max are 250 site-to-site VPN

 

each branch with two wan links, so if I need to configure each group of spokes that will be 50 per group, for simplicity lets focus on group 1 (50 spokes) and Group 2 (50 spokes)

 

group1 will be configured as spoke (add two hubs, hub1 then hub2), that mean 100 vpn tunnels per hub

group 2 will be configured same as spoke ( add two hubs, hub2 then hub1), that mean 100 vpn tunnels per hub

the total number for each hub is 200 vpn tunnels

 

my two questions are:

1- adding two hubs means tunnels will be established from spokes to hubs but only traffic will be preferred based on hubs order, right?

2- is there any better solution as now I need to have 8 vmxs for only 400 branches

0 Kudos
4 Replies 4
cmr
Kind of a big deal
Kind of a big deal
‎Oct 18 2021 11:14 AM
‎Oct 18 2021 11:14 AM

@Alan1 if you have 2x WAN links per spoke and 400 branches along with 2x hubs then yes, you will have 400x2x2 + 1x between each hub, so a little over 1,600 tunnels. 

 

If you want to run them in Azure then the largest hub support 250 tunnels and 500Mb/s of throughput so you would need 7 by my count as they don't have to be in pairs.

 

If you can run them in AWS then you only need 2x large vMXs, might be worth asking your sales rep if there is any data on when the large is coming to Azure.  This also applies to a pair of MX250 physical MXs which you could then possibly express-route to Azure?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to cmr
Alan1
Here to help
‎Oct 18 2021 7:20 PM
‎Oct 18 2021 7:20 PM

Thanks a lot cmr for your reply and clarification

0 Kudos
Bruce
Kind of a big deal
‎Oct 18 2021 7:10 PM
‎Oct 18 2021 7:10 PM

@Alan1, if you're only looking for a failover solution on the SD-WAN solution, not active-active tunnels, then you could set the 'Active-Active AutoVPN' setting under 'Security & SD-WAN' to Disabled. This way a tunnel isn't built on the secondary link from the branches unless the primary fails, so halving the requirements.

In response to Bruce
Alan1
Here to help
‎Oct 18 2021 7:20 PM
‎Oct 18 2021 7:20 PM

Thanks Bruce that is one of the option that am studying now

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.