Meraki MX - Layer 2 VPN, stretched Subnet, DR site etc

SOLVED
MrMeraki
Here to help

Meraki MX - Layer 2 VPN, stretched Subnet, DR site etc

Hey all,

 

An age old question/dilemma.....

 

Site A (HQ + production site), Site B (Data Centre and DR site)

 

We have identical virtual infrastructure at each site and use a replication/DR solution to migrate, shutdown and failover  VM's at HQ to the DR site and this all works fine. The issue is fileserver on VLAN 10 at site A has 10.10.10.1/24 and when It is copied over it exists in VLAN 10 at site B but it isn't routable because it's in VLAN10 at site B but that range is 10.10.11.0/24.  Yes we can re-ip to 10.10.11.1 but this won't be ideal for domain controllers etc.

 

Our HQ and DR site are connected via Meraki MX100's on VPN Auto Connect.

 

I could have sworn that Meraki introduced a solution to thsi about 12months ago where you could have the Same subnet at both end but they didn't participate in the VPN so didn't conflict?

 

What are people doing out there for a DR site using Meraki?

 

The old way used to be buying a Layer2 stretched circuit off your ISP such as a LAN extension (LES).

 

How can I get the same subnet on 2 Meraki sites that connect via Auto VPN>?

1 ACCEPTED SOLUTION
KarstenI
Kind of a big deal
Kind of a big deal

I think the feature you are looking for is "Site-to-site VPN Translation":

https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation

 

I sometimes implement it differently:

  • I have unique IP networks on both sides for the VM infrastructure and the replication process.
  • I use the same IP networks for the production VLANs but I don't route any traffic to the DR side.
  • In case of DR, routing changes to DR and is disabled on HQ.

Yes, it's a "poor mans DR", but it works quite well.

View solution in original post

6 REPLIES 6
KarstenI
Kind of a big deal
Kind of a big deal

I think the feature you are looking for is "Site-to-site VPN Translation":

https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation

 

I sometimes implement it differently:

  • I have unique IP networks on both sides for the VM infrastructure and the replication process.
  • I use the same IP networks for the production VLANs but I don't route any traffic to the DR side.
  • In case of DR, routing changes to DR and is disabled on HQ.

Yes, it's a "poor mans DR", but it works quite well.

I guess what you are saying is create a mirror subnet in site B (DR) and just don't let it participate in the VPN until you want to fail over?

Inderdeep
Kind of a big deal
Kind of a big deal

@MrMeraki : As @KarstenI  said site to site VPN translation is the right process of using the same subnet on multiple locations. 

Configuration

To configure VPN subnet translation:

  1. Navigate to Security & SD-WAN > Configure > Site-to-site VPN.
  2. Set VPN subnet translation to Enabled. This will cause a new VPN subnet column to appear for the local networks. 
  3. For the local subnet that must be translated, set VPN participation to VPN on with translation.
  4. In the VPN subnet column enter a subnet of the same size as the Local subnet.
  5. Select Save changes.
Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com

So if I have a server VLAN 10.15.15.0/32 at Site A that I want to make available at site B I do the following:

 

Switch work:

Create the same VLAN/Subnet at site B and present it to the replicated VM's.

 

Create the MX static routes back to switches.

 

Enable Translation  

Pick a new random Subnet e.g 192.168.15.0/24

 

Question - do I do this at both sites (both MX's) with the same random subnet above?

 

Basically I want server e.g DC01 with IP of 10.15.15.10 to replicate, get shutdown and brought up in site B on 10.15.15.10 and be contactable as it allways was just at another site. 

PhilipDAth
Kind of a big deal
Kind of a big deal

What you want to do is get a L2 QinQ (so trunks all VLANs) circuit between the two sites from your favourite service provider.  Then you run the MXs as an HA pair, with the warm spare sitting in the DR site.

Yeah we had this is my last org - it was called a LES (LAN Extension Service) from Virgin.

 

I don't really think this is an option for us as we're in Contract on our Leased Lines and Rather like the Auto VPN/SD WAN stuff.  Plus i'd imagine a QinQ is quite expensive?

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels