MX to MX OSPF

SOLVED
Terry_Watson
Conversationalist

MX to MX OSPF

Hi

 

I currenly run OSPF between an MX located in our main campus and the Cisco L3 switch which connects the MX to our main LAN.  I'm ooking at building a significantly larger Meraki network at a remote site that will use HA MX250 and MS425 as a L3 distribution switch with an SVI to the branch MX, i.e. the branch MX will not be directly connected to the multiple VLAN/Subnets at the remote site. 

 

Question - While I can configure OSPF on the MS425 and branch MX, will the branch MX form an OSPF neighbour with the MX at the main campus site?

1 ACCEPTED SOLUTION

Hi Captain

 

Thanks for taking the trouble to respond.  Next time I'll RTFM properly!

 

Terry

View solution in original post

7 REPLIES 7
CptnCrnch
Kind of a big deal
Kind of a big deal

Unfortunately, MX will only advertise, not receive OSPF routes:

https://documentation.meraki.com/MX/Site-to-site_VPN/Using_OSPF_to_Advertise_Remote_VPN_Subnets

 

"Note: Please note that the MX will only advertise Meraki Auto VPN routes (including static routes shared into Auto VPN) with OSPF. The MX will need static routes configured for any other local subnets."

Hi Captain

 

Thanks for taking the trouble to respond.  Next time I'll RTFM properly!

 

Terry

Nash
Kind of a big deal

It's a bit of a strange implementation. I once saw it completely baffle a room full of folks who'd been doing OSPF for years, so please don't feel bad for not catching it.

Hey @Terry_Watson,

 

You said these are two different sites? So is the intention to run AutoVPN between the two MX's at each location? If so then you do not need OSPF to propagate routes between MX's as that is handled by the Cloud. 

 

In the Site to Site VPN settings, there's a section to select with local networks participate in the VPN. By selecting a network to participate you are actually configuring a route to be propagated to VPN peers via the Cloud control plane. It's due to this that no OSPF is needed. 

 

image.png

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN

 

But on the LAN side of an MX appliance @CptnCrnch has it bang on, the MX can advertise routes, but it will not install OSPF learned routes in its routing table. Also, watch out for the VLANs must be disabled requirement to even enable OSPF!

 

 

Hi jdsilva

 

Yes there would be an Auto VPN between the HQ and the Branch and therefore the MXs at either end would automatically share routes. 

 

However, what I had wanted to do was only configure the branch subnets on the MS425 and then route traffic to the branch MX over a separate subnet.  I would then run OSPF on the MS425 and branch MX so the branch MX would learn about the branch subnets.  As I am currently running OSPF between our core MX and main Cisco network I had thought it would be a nice solution to link these two separate instances of OSPF into one OSPF Area, i.e. all the way from the Cisco L3 switch at our HQ, all the way to the branch MS425.

 

As the MX cannot receive routing information over an Auto VPN this will not work. 

 

You have highlighted another issue in that if I do not configure all the subnets on the branch MX, how do I tell the branch MX to allow these subnets over the Auto VPN?  There must be a way as there would be little point in having a core/distribution layer in the Meraki solution.  I'm looking into that now!

 

Kind Regards


@Terry_Watson wrote:

 

You have highlighted another issue in that if I do not configure all the subnets on the branch MX, how do I tell the branch MX to allow these subnets over the Auto VPN?  There must be a way as there would be little point in having a core/distribution layer in the Meraki solution.  I'm looking into that now!

 


This is doable, though slightly painful. You are also able have static routes participate in AutoVPN. Since the MX can't learn routes from the MS anyway, you're going to need to add one or more static routes to the MX for subnets downstream of the MS. If you add one route for each subnet (instead of one supernet route) you will then be able to add each static route (subnet) into the AutoVPN individually. 

Thaks jdsilva

 

I had found the VPN check box on the static route creation page.  What I will probably do because I will be creating a lot  of branch subnets is create a single ummary static route and then control access to the VPN using firewall rules.

 

Thanks for all your feedback

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels