Meraki

Community

Migrating to a new MX for primary site when all remotes are set up as VPN hub

CB
Just browsing
‎Feb 27 2019 6:41 AM
‎Feb 27 2019 6:41 AM

Migrating to a new MX for primary site when all remotes are set up as VPN hub

I have VPN network where all MX devices are configured as Hub(Full Mesh)  I want to install a new MX at the primary site and migrate the remote sites one at a time to use the new MX for the same networks.  This means I would advertise the same routes from 2 Sites to the VPN.  One option would be to move all remotes to Spokes instead of Hub(Full Mesh), but I wanted to see what my options for leaving the sites as Hub and just advertising the same routes from 2 sites in Full Mesh mode?  Thanks!

0 Kudos
3 Replies 3
BrechtSchamp
Kind of a big deal
‎Feb 27 2019 7:04 AM
‎Feb 27 2019 7:04 AM

Why do you want to do the migrating one by one? Seems to me you're only making it more complicated as you'll have two routers in your primary site at the same time. That brings questions and issues like, which one will be default gateway, etc.

 

While it should be a pretty easy job.

 

  • Install the new MX in parallel
  • Connect it to the internet and add it to a dummy network to get it to the correct firmware version so you don't lose time with that step later. Once up-to-date remove it from the dummy network.
  • Remove the old MX from the network in the dashboard and patch the connections over to the new MX
  • Assign the new MX to the network (you might have to do the static IP settings on the uplinks again)
  • All other settings of the old MX should automatically return

This should be a pretty quick job if well prepared.

In response to BrechtSchamp
CB
Just browsing
‎Feb 27 2019 11:11 AM
‎Feb 27 2019 11:11 AM

We want to take a staged approached as apposed to cutting all the site at once to the new MX.  I am looking for options that would allow both MX devices to be connected simultaneously.  If possible, I would prefer to build a separate VPN cloud as opposed to having just one for the entire org.      

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 27 2019 3:29 PM
‎Feb 27 2019 3:29 PM

You can not have two AutoVPN nodes (spoke or hub) directly attached to the same subnet - the dashboard wont allow you to configure this.

 

You can have a hub with a stub network connecting to another layer 3 device (such as a layer 3 switch) that uses a static route to the ultimate network - and redistribute that into AutoVPN.

If you use this method, then you can have more than one MX advertise that same route.

 

However there are caveats.  If only uses one of the MXs advertising the route.  Also I don't think the failover works in all cases.

 

To make it really work you need to be using the hubs in VPN concentrator mode, and BGP peer to another layer 3 device, and rely on that to inject the routers into AutoVPN.

 

 

All in all - don't do it.  Just arrange for 10 minutes of downtime, and cut across to using the new units.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.