Meraki

Community

I'm not sure what hub-spoke means in Auto VPN.

Solved
KSM
Here to help
‎Jan 4 2024 8:32 PM
‎Jan 4 2024 8:32 PM

I'm not sure what hub-spoke means in Auto VPN.

Hi`

 

I have it configured as shown below.

 

From: Branch
Destination: AWS internal server

 

The branch MX devices have registered vMX and IDC as hubs.

And on the IDC, we connected the AWS VPN as a backup.

I removed the hub setting for vMX from the branch, leaving only the IDC.

There are no hub settings between the IDC and vMX.

 

I thought this would automatically fail over to AWS VPN, but it didn't.

It seems that the Hub-Spoke use is just for centralization, and the MXs still share the subnet when the Hub is removed. Is this correct?

 

KSM_0-1704429102579.png

 

Labels:
0 Kudos
1 Accepted Solution
Brash
Kind of a big deal
Kind of a big deal
‎Jan 4 2024 10:43 PM
‎Jan 4 2024 10:43 PM

That's correct. Every network in the Auto-VPN can (by default) reach every other network.

The hub and spoke model is designed to limit the overhead of creating a full mesh of tunnels to every MX/Branch.

 

Spoke to spoke communication (in this case tunneled via the hub) can be prevented using site-to-site firewall rules.

View solution in original post

7 Replies 7
ww
Kind of a big deal
Kind of a big deal
‎Jan 4 2024 10:41 PM
‎Jan 4 2024 10:41 PM

Non meraki vpn subnets cant be reached from mx devices that do not have the non meraki vpn itself.

In response to ww
KSM
Here to help
‎Jan 22 2024 8:40 PM
‎Jan 22 2024 8:40 PM

Hi @ww 

 

Thank you for your response.
We are configured to use a non-meraki vpn to communicate with aws when vMX is down.

0 Kudos
Brash
Kind of a big deal
Kind of a big deal
‎Jan 4 2024 10:43 PM
‎Jan 4 2024 10:43 PM

That's correct. Every network in the Auto-VPN can (by default) reach every other network.

The hub and spoke model is designed to limit the overhead of creating a full mesh of tunnels to every MX/Branch.

 

Spoke to spoke communication (in this case tunneled via the hub) can be prevented using site-to-site firewall rules.

In response to Brash
KSM
Here to help
‎Jan 22 2024 8:48 PM
‎Jan 22 2024 8:48 PM

Hi @Brash 

 

First of all, thank you for your response.

 

As you say, the hub-spoke feature reduces overhead by preventing VPN connections between spoke<->spoke, and eases firewall policy by forcing them to communicate with the hub, correct?

 

Thank you!

0 Kudos
In response to KSM
Brash
Kind of a big deal
Kind of a big deal
‎Jan 23 2024 3:18 PM
‎Jan 23 2024 3:18 PM

i believe the primary advantage of hub-spoke model is it decreases the overhead on the branch MX's. 

In a full mesh setup, you end up creating a lot of tunnels which at scale has a performance impact. The number of tunnels grows incredibly quickly with additional branches and/or WAN connections.

The advantage of hub-spoke is that the branches will only ever have tunnels to the hub, thereby vastly decreasing the number of required tunnels.

 

This doc has some good details about it.

https://documentation.meraki.com/Architectures_and_Best_Practices/Auto_VPN_Hub_Deployment_Recommenda...

0 Kudos
rhbirkelund
Kind of a big deal
Kind of a big deal
‎Jan 4 2024 11:56 PM
‎Jan 4 2024 11:56 PM

Imagine a bicycle wheel, with the hub in the centre, receiving the connection from each independent spoke..

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
In response to rhbirkelund
KSM
Here to help
‎Jan 22 2024 8:51 PM
‎Jan 22 2024 8:51 PM

Hi @rhbirkelund 

 

Yes. I understood the topology as you said.
 
However, I was wondering why devices connected to AUTO VPN automatically share IP bands without adding hubs on the spokes.
 
Thank you
0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.