Hi`
I have it configured as shown below.
From: Branch
Destination: AWS internal server
The branch MX devices have registered vMX and IDC as hubs.
And on the IDC, we connected the AWS VPN as a backup.
I removed the hub setting for vMX from the branch, leaving only the IDC.
There are no hub settings between the IDC and vMX.
I thought this would automatically fail over to AWS VPN, but it didn't.
It seems that the Hub-Spoke use is just for centralization, and the MXs still share the subnet when the Hub is removed. Is this correct?
Solved! Go to solution.
That's correct. Every network in the Auto-VPN can (by default) reach every other network.
The hub and spoke model is designed to limit the overhead of creating a full mesh of tunnels to every MX/Branch.
Spoke to spoke communication (in this case tunneled via the hub) can be prevented using site-to-site firewall rules.
Non meraki vpn subnets cant be reached from mx devices that do not have the non meraki vpn itself.
Hi @ww
Thank you for your response.
We are configured to use a non-meraki vpn to communicate with aws when vMX is down.
That's correct. Every network in the Auto-VPN can (by default) reach every other network.
The hub and spoke model is designed to limit the overhead of creating a full mesh of tunnels to every MX/Branch.
Spoke to spoke communication (in this case tunneled via the hub) can be prevented using site-to-site firewall rules.
Hi @Brash
First of all, thank you for your response.
As you say, the hub-spoke feature reduces overhead by preventing VPN connections between spoke<->spoke, and eases firewall policy by forcing them to communicate with the hub, correct?
Thank you!
i believe the primary advantage of hub-spoke model is it decreases the overhead on the branch MX's.
In a full mesh setup, you end up creating a lot of tunnels which at scale has a performance impact. The number of tunnels grows incredibly quickly with additional branches and/or WAN connections.
The advantage of hub-spoke is that the branches will only ever have tunnels to the hub, thereby vastly decreasing the number of required tunnels.
This doc has some good details about it.
Imagine a bicycle wheel, with the hub in the centre, receiving the connection from each independent spoke..
Hi @rhbirkelund