Meraki

Community

Multiple VLANs across AutoVPN

Solved
Jimbo1
Here to help
‎Jan 16 2021 8:55 AM
‎Jan 16 2021 8:55 AM

Multiple VLANs across AutoVPN

The scenario I'm thinking of is as follows:

 

Central Data Centre site with two MX84s in HA Mode. Remote site with a single MX67. Internet access at both sites (of course!). I want to support three VLANs on the remote site, Data, Voice and Wi-Fi, and I plan to run Split-Tunnel VPN  from the remote site to the Data Centre.

 

I know I can set up VLANs on the remote site, with a local SVI. I know I can set up VLANs on the central site, but my question is: "How do I set the MXs up so that the VLAN ID/traffic etc, is retained across the VPN?", so for example, the Data VLAN traffic created on the remote site emerges over a trunk port, in the right VLAN in the Data Centre.

 

I've Googled to no avail....there are suggestions that this should work but I can't find hard facts.

 

As a side issue, I believe if I'm going to do this, I can't run the Data Centre MXs in VPN Concentrator mode, but need to use Routed mode, and use two ports, not run the MX one-legged. That seems reasonable because the VPN will come in on one port (native VLAN) and will exit in a VLAN contained in a trunk on another port...is that right?

 

Any example documents showing how to do what I'm trying to do would be a bonus!

 

Thanks Guys!

 

Jim

0 Kudos
1 Accepted Solution
In response to Jimbo1
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Jan 16 2021 9:57 AM
‎Jan 16 2021 9:57 AM

The subnets / IPs you‘re defining to be routed (https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN#Auto_VPN_Configuration_Details „Choose which subnets (local networks) to export over VPN“) will be take part in your VPN and will arrive at the HQ completely unchanged, yes.

View solution in original post

0 Kudos
4 Replies 4
KarstenI
Kind of a big deal
Kind of a big deal
‎Jan 16 2021 9:24 AM
‎Jan 16 2021 9:24 AM

I'm pretty sure that this is not possible on the MX. With the right "traditional" Cisco gear you can run something like MPLS pseudowire or other bridging technologies. But: Too many attempts to do a long distance bridging in the past failed. Better try to do your redundancy on L3. And when you still want to stretch your L2 domain, read at least this: https://blog.ipspace.net/2012/05/layer-2-network-is-single-failure.html

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
Jimbo1
Here to help
‎Jan 16 2021 9:49 AM
‎Jan 16 2021 9:49 AM

Thanks for the comment KarstenI. I thought that might be the answer, because I couldn't get confirmation anywhere that my proposed solution would work.

 

So if I have three VLANs on the remote site, am I right in believing that client devices on all remote site VLANs can send send traffic to the VPN, the traffic will traverse the VPN tunnel running from the remote to the central MX (which will be running on a single physical link), and emerge from the central MX on the native VLAN, with source IP address remaining as it was when sent??

 

Have I got anywhere near the truth?

 

Thanks

 

Jim

0 Kudos
In response to Jimbo1
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Jan 16 2021 9:57 AM
‎Jan 16 2021 9:57 AM

The subnets / IPs you‘re defining to be routed (https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN#Auto_VPN_Configuration_Details „Choose which subnets (local networks) to export over VPN“) will be take part in your VPN and will arrive at the HQ completely unchanged, yes.

0 Kudos
In response to CptnCrnch
GreenMan
Meraki Employee
Meraki Employee
‎Jan 18 2021 5:12 AM
‎Jan 18 2021 5:12 AM

@CptnCrnch nailed it.   Remember too - if you need to be more granular about who can access what, across a VPN tunnel - down to devices within the VLANs at either end - you can also configure VPN firewall rules:   https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings#VPN_Firewall_Rules

These are configured separately from general inter-VLAN/Internet firewall rules.   Look under Security & SD-WAN > Configure > Site-to-site VPN

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.