Re: Route through Azure (transit) with AutoVPN on the side.

thomasthomsen

Hi all

Behind the perhaps cryptic subject, is the following.

I have a customer that would like to use Azure as transit between two branches.

He has a 3rd party IPsec config in each MX to the Azure DC that is closest to the branch in the world.

And between the Azure DC's there is better / more / stable bandwidth then across the internet between branches.

He has already setup AutoVPN in his network, and of course these two branches exchange routes over AutoVPN .

These routes are /24 for the specific VLANs on the branch.

To Azure (on each end) he has a summarized route for the branch pointing to Azure (like a /16).

Of course this will never work, because the /24 is a closer match, then the /16.

What would be the best way to attack this problem ?

The rest of the branches would still need AutoVPN.

One of these branches is a stub. Could you just disable that the VLANs are part of the AutoVPN (on that end) and then it would work ?

And Im thinking that the real solution would be a vMX of course, but how does that work across multiple Azure DC's ?

Should I have one vMX pr DC ? - because then it starts to become a bit more expensive I think (without me knowing the price of a vMX).

Does anyone has any thoughts on this ?

Thanks
Thomas

PhilipDAth

You would need a VMX (note there is a lower cost VMX-s "small") in each Azure DC where you wanted to terminate AutoVPN connections to use Azure transit.

HOWEVER, you still have the issue where the /24 will be preferred by AutoVPN.

I'm thinking to solve this you will need to expand the subnet used by each of those branches. An example would be a /23. Just don't use the second half of the /23.

Going back to your original approach, you could then use the non-Meraki VPN configured for the original /24. The /24 over the non-Meraki VPN should then take precedence over the /23 advertised over AutoVPN.

Not tested.

Bruce

Why not just try and define the same /24 as a static towards Azure, that you have over the AutoVPN? Static routes take priority, so it may just work. This document has the route precedence, and just underneath describes something similar, https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior.

You’ll need to test it, as this might be one of those things that should work, but doesn’t.

PhilipDAth

You can't create a static route over a non-Meraki VPN.

thomasthomsen

But lets say I modified the Azure part, if I then had the same /24 network to the Azure (3rd party) IPsec as is advertised by the AutoVPN end, then there would be two /24 with the same subnet, but here im guessing that the AutoVPN route would have a better metric then the Azure (3rd party) one ?

So it basically would not work, unless I put a vMX in Azure ?

But lets say I put 3 in vMX, one in each Azure DC, could they then have the static route between each other ?

Im guessing that would be possible right. - So if each Azure vMX is the Hub, and I have meraki support filter out routes from AutoVPN ?

thomasthomsen

I just realized that what we need are a kind of AutoVPN group configuration. - So only hubs and stubs in a Group will exchange information. And they will not exchange information with hubs and stubs in another group. - Make it so 🙂