Meraki

Community

Site 2 Site Connection, along side Hub connections.

mrpackethead_
Getting noticed
‎Apr 10 2025 6:06 PM
‎Apr 10 2025 6:06 PM

Site 2 Site Connection, along side Hub connections.

Hi..

I have a situation where I have ~200 networks connected back to 2 hubs..  It all works fine.     I have some edge case situations where i want to connect,   a few sites together directly, so the traffic does not flow via my hub...   ( it means i'm carrign the data twice as much as i need to ). 

Complicating the matter is that some of my network locations are connected on CGNAT connections. 


Is this possible?  Can i build a VPN Between them.


 

0 Kudos
7 Replies 7
RaphaelL
Kind of a big deal
Kind of a big deal
‎Apr 10 2025 6:11 PM
‎Apr 10 2025 6:11 PM

Yes you can. It's called meshing.https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings

0 Kudos
Mloraditch
Kind of a big deal
Kind of a big deal
‎Apr 10 2025 6:12 PM
‎Apr 10 2025 6:12 PM

I believe you could only do that by making them hubs as well. All your hubs would be meshed but your spokes need only use your primary hubs for connectivity.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Mloraditch
mrpackethead_
Getting noticed
‎Apr 12 2025 12:42 AM
‎Apr 12 2025 12:42 AM

AN interesting idea, however I could end up in a situation where i have a lot of hubs, and that woudl then mean, some of the little devices. ( such as Z4's and MX68s ) would end up with a LOT of VPN tunnels.

With a coupel of sites, it woudl be ok,  but it woudl rapidlly get unworkable,  You'd have tunnels to hubs that you dont' need direct connections to. This is somethign that i probalby am keen to avoid.

What I was thinking about was not using the AutoVPN features at all, and setting up Manual VPn tunnels, using  IPsec ( non meraki peers, even though they are merakis ).

I'd also, in many of these cases, keen to keep these routes out of the autovpn.  These site to site networks could be things that are not the main 'corporate' network..  





0 Kudos
In response to mrpackethead_
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 13 2025 1:44 PM
‎Apr 13 2025 1:44 PM

>and setting up Manual VPn tunnels, using  IPsec

 

You won't be able to do this since you are behind CGNAT.

0 Kudos
In response to PhilipDAth
mrpackethead_
Getting noticed
‎Apr 13 2025 5:39 PM
‎Apr 13 2025 5:39 PM

and not the only reason i can't set them up. 😞

I was wanting to avoid using the Auto-VPN features and try to use non Meraki Peers, in a way similar to the method in the link.   The difference for me, is that the MX appliances would have been in the same org.

The org recognizes that the route you try to use to, overlaps with a Network in the org. and 'computer says no.

I can set one end up as an addtional hub.     This does however start increasing the number of VPN tunnels that are running on the devices. In the case of MX68's ( which are the bulk of my networks ), the max number is 50.     

Is there a way to select which 'Hubs' a 'Hub' will connect to, rather than all of them? 


  ( Configuring Site-to-site VPN between MX Appliances in Different Organizations - Cisco Meraki Documen... )



0 Kudos
In response to mrpackethead_
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 13 2025 5:57 PM
‎Apr 13 2025 5:57 PM

You can request Meraki support to disable hub to hub communication - but then the hubs wont be able to talk to each other without you arranging some other kind of backaul (like MPLS).

0 Kudos
In response to PhilipDAth
mrpackethead_
Getting noticed
‎Apr 13 2025 6:19 PM
‎Apr 13 2025 6:19 PM

can that be done on a per hub <---> hub basis or is it a global config for everything.   As it turns out, my 'head-end' hubs do already have connectivity between them. 

Its these small hubs for hooking two sites together directly that are the problem children.

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.