Meraki + DMVPN

shawn001
Conversationalist

Meraki + DMVPN

Existing infrastructure comprises of two Hub routers in the DC and there about 100+ spoke router spread across states. The DMVPN solution for these cisco devices work great, however we bringing in the Meraki MX64 to replace the spoke router.  Couple questions:

 

1. What is the best design and security practice to implement meraki into a cisco environment ?

2. Tried setting up Auto-VPN with the Cisco (Hub) router - DMVPN IKEv1&2 and no luck, has everyone done this ?

3. Is Passthrough or VPN Concentrator mode an option in this case? 

 

Any suggestions would be appreciated. thanks! Please feel free to share a diagram and explanation, as I am new to Meraki products.

 

6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal

You should install a pair of warm spare MX units in your DC configured as AutoVPN hubs.  Based on the number of spokes, I'd go for a pair of MX100's.

 

Then as you move sites from DMVPN to AutoVPN just update the DC routing.

 

Check out this guide first:

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/... 

 

This guide is a bit over the top for what you are doing but might be of interest.

https://documentation.meraki.com/Architectures_and_Best_Practices/Auto_VPN_Hub_Deployment_Recommenda... 

shawn001
Conversationalist

Thank you articles are really helpful. 

To your response "install a pair of warm spare MX units in your DC configured as AutoVPN hubs" of the following scenarios listed in the first document, which one is most favorable in this case?

 

• MX at the datacenter deployed as a one-armed concentrator
• Warm spare/High Availability at the datacenter
• OSPF route advertisement for scalable upstream connectivity to connected VPN subnets
• Datacenter redundancy
• Split tunnel VPN from the branches and remote offices
• Dual WAN uplinks at all branches and remote offices

 

Thanks again.

PhilipDAth
Kind of a big deal
Kind of a big deal

>Warm spare/High Availability at the datacenter

 

You should do this.

 

 

I don't know enough about your environment to answer the other scenarios.    That is where you would typically get a Cisco Meraki architect to help you.

I would hope most Cisco Partners could help with this.

 

https://locatr.cloudapps.cisco.com/WWChannels/LOCATR/openBasicSearch.do 

Nash
Kind of a big deal

Seconding Philip's recommendation to reach out to a Cisco/Meraki partner for more detailed environment planning. Once you get into the fine details, you get what you pay for.

shawn001
Conversationalist

Thanks for your response, progress has been made. Device successfully connected as VPN concentrator.

Auto-VPN status is green, VPN Registry: Connected, NAT type : Friendly, and Encrypted

However site-to-site peer status/connectivity is red, usage : none , 0ms

Modify the upstream route couple times, there is something missing. kindly point me in the right direction, correct route statement or use ospf 

Thanks in advance

RichardChen1
Getting noticed

Which migration step did you take eventually?

 

I have migrated DMVPN to Meraki before with HUB vpn concentrator + static route between the Hub DMVPN router.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels