Migration - BGP

Sanman
Here to help

Migration - BGP

I am going through a change in Network design as we are adding new hub locations (primary and secondary DC) with new MX as one armed concentrators.
All spoke sites are on AutoVPN pointing to the existing HUBs (head office and secondary site). First step to my migration is to enable BGP on the new DC Hubs.
Second step to migrate one site at a time. Change the HUB priority on the first spoke site to new HUB sites. Traffic starts using the new HUB.
Third step - then do the same for all other.
Final step - change the existing HUB as spoke and point to the new HUB.
 
Question:
1. It seems that when BGP is enabled, it takes effect on an organizational level. If all spoke are still pointing to the existing HUB as a start? does enabling BGP create a problem. I could see iBGP being formed between all HUB and Spoke even if Spoke is pointing to the existing HUB. 
2. When spoke has new HUB as the primary hub I am assuming that the spoke start sending traffic to the new HUB?
3. Spokes still pointing to the existing HUB will route via the old HUB? 
 
Thank you in advance. 

 

4 REPLIES 4
alemabrahao
Kind of a big deal
Kind of a big deal

 

Key Concepts

Before deploying BGP, it is important to understand several key concepts.

Concentrator Mode

All MXs can be configured in either NAT or VPN concentrator mode. There are important considerations for both modes. For more detailed information on concentrator modes, click here.

One-Armed Concentrator

In this mode, the MX is configured with a single Ethernet connection to the upstream network. All traffic will be sent and received on this interface. This is the recommended configuration for MX appliances serving as VPN termination points into the datacenter.

NAT Mode

  • iBGP establishes relationships over AutoVPN and will establish and exchange routes between:
    • A BGP peer acting as a One-Armed Concentrator in the DC and-
    • A NAT mode MX.
  • eBGP peer relationships are not supported on NAT Mode MX devices. eBGP is only supported on one-armed (pass-through) concentrators.

VPN Topology

There are several options available for the structure of the VPN deployment.

Hub and Spoke

In a hub and spoke configuration, the MX security appliances at the branches and remote offices connect directly to specific MX appliances and will not form tunnels to other MX or Z-series devices in the organization. Communication between branch sites or remote offices is available through the configured VPN hubs. This is the recommended VPN topology for most deployments.

 

https://documentation.meraki.com/MX/Networks_and_Routing/BGP

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
RaphaelL
Kind of a big deal
Kind of a big deal

1. It seems that when BGP is enabled, it takes effect on an organizational level. Yes and no. If all spoke are still pointing to the existing HUB as a start? What's the question ? does enabling BGP create a problem. Depends on the setup I could see iBGP being formed between all HUB and Spoke even if Spoke is pointing to the existing HUB. 
2. When spoke has new HUB as the primary hub I am assuming that the spoke start sending traffic to the new HUB? Should be.
3. Spokes still pointing to the existing HUB will route via the old HUB? 
 
 
HUB_1_NEW can be 'bgp enabled' while HUB_1_OLD is not. 
Only 1 AS per Org.
 
All spokes that are using HUB_1_NEW as a exit hub will be advertised via eBGP to the neighbor configured.
All spokes that are still using HUB_1_OLD as a exit hub will remain unchanged. 
 
I'm not sure if it's still the case but hubs used to form iBGP neighbors between them. You had to ask support to enable a backend option 'NO_HUB_TO_HUB'.  But I could be wrong. We were one of the first on running bgp a while ago. Might have changed.
 
 

Thank you  alemabrahao and RaphaelL. What happens in the scenario when the first site is migrated to New HUB, but the other existing spoke sites are still pointing to the existing HUB. How does the traffic route between the spoke routed via new HUB and the rest of the spokes that are still pointing to the existing HUB.

ww
Kind of a big deal
Kind of a big deal

.

In case you just add the new hub to one spoke as primary hub

 

Spokenew - hub new - hub old -

Spoke old

And

Spoke old - hub old- spoke new

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels