Meraki

Community

OSPF and Tunnel for non-meraki VPN

Solved
joawifi
New here
‎Sep 21 2024 1:03 PM
‎Sep 21 2024 1:03 PM

OSPF and Tunnel for non-meraki VPN

Gentlemen, I need a little help or a push....
I've researched and researched, but I haven't been able to figure out how to make it work.
 
I currently have a connection between Site A and Site B.
 
It's a point-to-point connection on Gi0/0/0 (both sides) and a subinterface Gi0/0/0.100 has been configured, and a dmvpn tunnel (tunnel 3) is configured on this subinterface, advertising the network of both sites via EIGRP.
 
The networks arrive and pass through the Firewall to then enter our network.
 
We are thinking about using Meraki's MX, and we are faced with the following situation:
1 - Meraki does not work with EIGRP
2 - Meraki does not work with dmvpn
 
Now, I need to think about how I will make Meraki, which will be added to site A, work with my router at site B. Has anyone experienced this? Could you share how it was done?
 

 

joawifi_0-1726948161620.png

 

 
Some newbie questions:
1 - MX only works with a public WAN link to talk to the Cloud. Would this connection that is currently made by the Router remain?
1.1 - Would this connection remain on the other Meraki WAN?
1.2 - Is it possible to configure OSPF at site A, close an IPSEC (current configuration) with Site B, and redistribute the routes?
1.3 - In the Tunnel, would I configure a new Meraki subinterface? I read that Meraki does not work with Tunnel.
 
1.4 - We have point-to-point communication between the sites, but I got so confused that I even got to VPN One Armed, which is confusing me. Worse still, at this point, I want to know how I can establish this communication between Meraki and a non-Meraki, without ending the current flow/

 

Labels:
0 Kudos
1 Accepted Solution
In response to joawifi
MartinLL
Building a reputation
‎Sep 22 2024 4:53 AM
‎Sep 22 2024 4:53 AM

I see. If you are dead set on swapping the vpn routers with MX you need to be content with static routing during the migration phase.

 

Since it does not look like you will be using the MX as a firewall i would deploy then in one armed consentrator mode, build a VPN tunnel to site B and do static routing.

 

When gear arrives at site B, deploy the MX in the same mode and make it a VPN hub as well. MX at site A and B will build Auto VPN between each other. Then you configure BGP and do EBGP between MX firewalls and FTD firewalls. That solves dynamic routing.

 

Edit: in case you can not give internet access from your firewall you can deploy the MX firewalls in routed mode, connect WAN to your ISP and create a link network vlan interface on your MX and terminate it on your FTD, then run EBGP on your MX Lan interface instead towards your FTD.

MLL

View solution in original post

9 Replies 9
MartinLL
Building a reputation
‎Sep 22 2024 1:15 AM
‎Sep 22 2024 1:15 AM

Honestly, i dont think you should go for a Meraki MX if you plan on keeping your current design with minimal changes.

 1 - The WAN interface just needs to communicate with the meraki cloud. This can be done by assigning a public ip directly or a private IP through NAT. WAN to ISP for example. 

 

1.1 - not sure what you are asking. The MX has 2 Wan interfaces. You can use both or either one.

 

1.2 - IPSEC is ok, but there is no support for dynamic routing across 3.party ipsec tunnels on the MX.

 

1.3 - MX does not support GRE tunnels on non wan interfaces. Just IPSEC and Auto vpn across the wan interface. 

 

1.4 - one armed consentrator is normally used as a SD WAN hub. Unless you got more meraki MX firewalls at remote sites this is not what you are looking for.

MLL
0 Kudos
In response to MartinLL
joawifi
New here
‎Sep 22 2024 2:53 AM
‎Sep 22 2024 2:53 AM

Thanks @MartinLL 

 

We will change our topology to Meraki, both at site A and site B, however, the equipment only arrived at site A.
 
When they arrive at site B, we will have the complete SD-WAN, however, I need to know how to make communication between A x B work, only with MX at A.
 
Architecture >> ISP >> Firewall >> Switch | Router for communication between sites
 
With Meraki only at site A and without dynamic routing between tunnels, I do not know how I will maintain communication between the two units.
 
In this scenario, any guidance? Site A and Site B need to connect.
0 Kudos
MartinLL
Building a reputation
‎Sep 22 2024 3:39 AM
‎Sep 22 2024 3:39 AM

Not without more details.

 

Are you doing full stack meraki? Meaning AP, switch and MX in the end?

 

What is meraki replacing? Only the site connectivity routers, or the firewalls as well?

 

Also, traffic flow. Do i understand correctly?

 

Site B client > firewall inside > firwall subint to vpn router > site A router > firewall subint to vpn router > Site A inside ?

MLL
0 Kudos
In response to MartinLL
joawifi
New here
‎Sep 22 2024 3:53 AM
‎Sep 22 2024 3:53 AM

Perfect! About the architecture you understood perfectly.
 
I apologize, it was my mistake not to share more information.
 
We are updating our plant:
From ASA5500 to FTD
APs 2807 to APs CW9xx
Routers C890 to MX
Switches 2960 to C9300 and 2 MS120-8-HW
 
The links will continue to arrive at the Firewall/FTP, I will change EIGRP to OSPF, however, the issue is that the communication between the units goes through the Topology Tunnel in dmvpn. With Meraki, I am not finding and/or understanding if there is any solution to maintain connectivity between the sites until the equipment arrives at site B (I do not know if it has already been purchased).
 
At Site A the equipment has already been delivered.
0 Kudos
In response to joawifi
MartinLL
Building a reputation
‎Sep 22 2024 4:53 AM
‎Sep 22 2024 4:53 AM

I see. If you are dead set on swapping the vpn routers with MX you need to be content with static routing during the migration phase.

 

Since it does not look like you will be using the MX as a firewall i would deploy then in one armed consentrator mode, build a VPN tunnel to site B and do static routing.

 

When gear arrives at site B, deploy the MX in the same mode and make it a VPN hub as well. MX at site A and B will build Auto VPN between each other. Then you configure BGP and do EBGP between MX firewalls and FTD firewalls. That solves dynamic routing.

 

Edit: in case you can not give internet access from your firewall you can deploy the MX firewalls in routed mode, connect WAN to your ISP and create a link network vlan interface on your MX and terminate it on your FTD, then run EBGP on your MX Lan interface instead towards your FTD.

MLL
In response to MartinLL
joawifi
New here
‎Sep 22 2024 5:59 AM
‎Sep 22 2024 5:59 AM

It clarified and helped a lot.

I really appreciate your tips and time.

However, I still have some questions about the migration phase?

1 - Why should I use e-BGP and not OSPF? Would e-BGP with MX be more practical or is there no difference if I were to use OSPF? 2 - About the connections between SITE A and B using "one armed" (I'm studying the link below):
https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide#VLAN_and_Sta...
2.1 - We currently use a Tunnel with IP addresses from RFC 1918
2.1.1 - With Meraki, should I have a public IP on both ends, closing the ipsec tunnel only with the wan IP of router 890 (the ISP's IP that is configured in gi0/0/3 of the router), or should I have some other configuration?
I ask because I will have to undo the tunnels, apparently losing the configurations of the interfaces/subinterfaces that are directly connected.

I still have doubts about how the configuration will be in this trunk between site A and B, and how Meraki will have connectivity with the Router.

 

Please excuse my ignorance, but I really needed some light on this connection.

0 Kudos
MartinLL
Building a reputation
‎Sep 22 2024 6:28 AM
‎Sep 22 2024 6:28 AM

No problem.

This should answer your ospf question. There is quite a lot of limitations. Especially when it comes to route advertisement. BGP is more flexible.

 

MX OSPF 

 

You can do Auto vpn across rfc1918 space, but for that to work both site A and B MX must exit to the internet on the same public ip. But for it to work this interface MUST be connected to WAN.

 

If the ISP can provide an internet access for your WAN interfaces on each site i would do that. It just simplifies the setup.

If you want meraki sdwan you must terminate the vpn tunnels on the MX.

 

In all honesty it does not sound like MX was the correct option for your router replacements. I think you should rework the design to fit the meraki standard. Its hard to mold meraki into something that it was not ment to do.

 

Another option is to wait with the MX untill you get site B gear. You can deply everything else. Then when you are ready you can build your sdwan.

MLL
In response to MartinLL
joawifi
New here
‎Sep 22 2024 7:05 AM
‎Sep 22 2024 7:05 AM

Yes! Thank you for the information and clarity in the details.

Yes! I will talk internally about when the MX for site B will arrive, because from what we discussed, it will simplify the configurations and architecture with BGP.

Both router B and router A have an internet address, but they are from different operators, so the addresses are also different. I believe that this will not matter. This IP address will be configured on the Meraki WAN interface for connection to the cloud, and then I will configure the BGP on the Firewall to redistribute the routes and connect between the sites.

I will think a little more about this topic, because it is not that simple and I did not draw it, I am following the project of another engineer who has already left the company.

Thank you very much!!!

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 22 2024 1:03 PM
‎Sep 22 2024 1:03 PM

Personally, I would wait till you can do both sites at the same time.  Much less complexity and risk.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.