- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Site to Site VPN DR Same Subnet
We have an existing Meraki network with an MX84 and downstream switches, APs etc. We are looking to setup a DR site at a separate location. That site will also have an MX84, switch, AP. We are hoping that DR site can exist with the same subnet. We'll be preforming regular backups to the site and if the servers ever had to be brought up we are hoping we wouldn't have to change their IPs. Do you guys have any advice on this scenario? Best practices etc...?
We are a full stack Meraki environment. Each of the two sites would have their MX connected to an internet WAN interface.
One caveat, our existing site uses Site to Site VPN to connect us to a partner company. Is the MX capable of having Site to Site VPN tunnels (Hub) and Meraki Auto VPN (Spoke) at the same time?
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you linking the two sites with a layer 2 circuit (such as a layer 2 fibre from a provider, a QinQ circuit, etc)? If you do then the answer becomes much simpler.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both sites will just have a standard internet connection. They are in different physical locations. No Layer 2 option. I tested this with some of my lab equipment and got this error so it doesn't looks like two VPN sites can utilize the same subnet. Not a huge deal, I guess I'll just have to give the DR site a different subnet and come up with a plan for DNS changes during a disaster event.
There were errors in saving this configuration:
- The VLAN subnet 10.0.16.0/20 connected to the VPN conflicts with a subnet that isn't connected to the VPN on the network Demo1 - appliance (10.0.16.0/20). Subnets connected to the VPN cannot overlap with any subnet on a VPN peer (even if the peer's subnet is not connected to the VPN).
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To make this work then, the MX at the backup site has to connect via a stub network, and then you have to have a static route via that stub (which you can include in AutoVPN).
Lets say you have a layer 3 switch at the DR site (you have to have some kind of L3 device). You configure a stub of say 10.255.255.0/30 between the L3 switch and your MX. You configure the MX with a static route for 10.0.16.0/20 via this stub network. You then configure 10.0.16.0/20 on the L3 switch for the "main" network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting, I hadn't thought about the stub idea. Would that allow devices on the 10.0.16.0/20 subnet in the main network to communicate to devices in the 10.0.16.0/20 subnet at the backup site? I'm going to try to testing this.
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, you will not be able to build a L3 VPN to and from the same subnet. It can only be a failover or backup destination for the VPN.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You either need to buy a L2 circuit from a service provider, or use Cisco Enterprise kit and use a technology like L2TPv3.