Site to Site VPN DR Same Subnet

Adam
Kind of a big deal

Site to Site VPN DR Same Subnet

We have an existing Meraki network with an MX84 and downstream switches, APs etc.  We are looking to setup a DR site at a separate location.  That site will also have an MX84, switch, AP.  We are hoping that DR site can exist with the same subnet.  We'll be preforming regular backups to the site and if the servers ever had to be brought up we are hoping we wouldn't have to change their IPs.  Do you guys have any advice on this scenario?  Best practices etc...?

 

We are a full stack Meraki environment.  Each of the two sites would have their MX connected to an internet WAN interface.  

 

One caveat, our existing site uses Site to Site VPN to connect us to a partner company.  Is the MX capable of having Site to Site VPN tunnels (Hub) and Meraki Auto VPN (Spoke) at the same time?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
6 REPLIES 6
PhilipDAth
Kind of a big deal
Kind of a big deal

Are you linking the two sites with a layer 2 circuit (such as a layer 2 fibre from a provider, a QinQ circuit, etc)?  If you do then the answer becomes much simpler.

Adam
Kind of a big deal

Both sites will just have a standard internet connection.  They are in different physical locations.  No Layer 2 option.  I tested this with some of my lab equipment and got this error so it doesn't looks like two VPN sites can utilize the same subnet.  Not a huge deal, I guess I'll just have to give the DR site a different subnet and come up with a plan for DNS changes during a disaster event. 

 

There were errors in saving this configuration:

  • The VLAN subnet 10.0.16.0/20 connected to the VPN conflicts with a subnet that isn't connected to the VPN on the network Demo1 - appliance (10.0.16.0/20). Subnets connected to the VPN cannot overlap with any subnet on a VPN peer (even if the peer's subnet is not connected to the VPN).

 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

To make this work then, the MX at the backup site has to connect via a stub network, and then you have to have a static route via that stub (which you can include in AutoVPN).

 

Lets say you have a layer 3 switch at the DR site (you have to have some kind of L3 device).  You configure a stub of say 10.255.255.0/30 between the L3 switch and your MX.  You configure the MX with a static route for 10.0.16.0/20 via this stub network.  You then configure 10.0.16.0/20 on the L3 switch for the "main" network.

Adam
Kind of a big deal

@PhilipDAth

 

Interesting, I hadn't thought about the stub idea.  Would that allow devices on the 10.0.16.0/20 subnet in the main network to communicate to devices in the 10.0.16.0/20 subnet at the backup site?  I'm going to try to testing this.  

 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
PhilipDAth
Kind of a big deal
Kind of a big deal

No, you will not be able to build a L3 VPN to and from the same subnet.  It can only be a failover or backup destination for the VPN.

PhilipDAth
Kind of a big deal
Kind of a big deal

You either need to buy a L2 circuit from a service provider, or use Cisco Enterprise kit and use a technology like L2TPv3.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels