I'm not sure what hub-spoke means in Auto VPN.

Solved
KSM
Here to help

I'm not sure what hub-spoke means in Auto VPN.

Hi`

 

I have it configured as shown below.

 

From: Branch
Destination: AWS internal server

 

The branch MX devices have registered vMX and IDC as hubs.

And on the IDC, we connected the AWS VPN as a backup.

I removed the hub setting for vMX from the branch, leaving only the IDC.

There are no hub settings between the IDC and vMX.

 

I thought this would automatically fail over to AWS VPN, but it didn't.

It seems that the Hub-Spoke use is just for centralization, and the MXs still share the subnet when the Hub is removed. Is this correct?

 

KSM_0-1704429102579.png

 

1 Accepted Solution
Brash
Kind of a big deal
Kind of a big deal

That's correct. Every network in the Auto-VPN can (by default) reach every other network.

The hub and spoke model is designed to limit the overhead of creating a full mesh of tunnels to every MX/Branch.

 

Spoke to spoke communication (in this case tunneled via the hub) can be prevented using site-to-site firewall rules.

View solution in original post

7 Replies 7
ww
Kind of a big deal
Kind of a big deal

Non meraki vpn subnets cant be reached from mx devices that do not have the non meraki vpn itself.

KSM
Here to help

Hi @ww 

 

Thank you for your response.
We are configured to use a non-meraki vpn to communicate with aws when vMX is down.

Brash
Kind of a big deal
Kind of a big deal

That's correct. Every network in the Auto-VPN can (by default) reach every other network.

The hub and spoke model is designed to limit the overhead of creating a full mesh of tunnels to every MX/Branch.

 

Spoke to spoke communication (in this case tunneled via the hub) can be prevented using site-to-site firewall rules.

KSM
Here to help

Hi @Brash 

 

First of all, thank you for your response.

 

As you say, the hub-spoke feature reduces overhead by preventing VPN connections between spoke<->spoke, and eases firewall policy by forcing them to communicate with the hub, correct?

 

Thank you!

Brash
Kind of a big deal
Kind of a big deal

i believe the primary advantage of hub-spoke model is it decreases the overhead on the branch MX's. 

In a full mesh setup, you end up creating a lot of tunnels which at scale has a performance impact. The number of tunnels grows incredibly quickly with additional branches and/or WAN connections.

The advantage of hub-spoke is that the branches will only ever have tunnels to the hub, thereby vastly decreasing the number of required tunnels.

 

This doc has some good details about it.

https://documentation.meraki.com/Architectures_and_Best_Practices/Auto_VPN_Hub_Deployment_Recommenda...

rhbirkelund
Kind of a big deal
Kind of a big deal

Imagine a bicycle wheel, with the hub in the centre, receiving the connection from each independent spoke..

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
KSM
Here to help

Hi @rhbirkelund 

 

Yes. I understood the topology as you said.
 
However, I was wondering why devices connected to AUTO VPN automatically share IP bands without adding hubs on the spokes.
 
Thank you
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels