Site-to-site VPN Translation

SOLVED
JamesMutie
Getting noticed

Site-to-site VPN Translation

Hello Community,

 

I am designing Meraki solution for several countries which will be under one organization. Each of this countries will have Several MXs and Zs which will form autovpn with Hubs in routed mode located in each country. Am anticipating same subnet problem Inter-country for both Production networks and spokes Though inter-country communication is not required. Am aware Meraki Hubs in same organization will peer automatically. In regard to this I have below questions.

 

1. Assume I am not doing Site-to-site VPN Translation . How will the traffic flow in country A production hub A going to Spoke    A (192.168.31.0/24) which is clashing with Country B  Spoke B (192.168.31.0/24) network (Being advertised to Hub A by Hub B) look like? Does meraki have metrics for autovpn routes to make the  longer path through an extra hop(HubB) less preferred ?

 

2. Is it possible for Meraki support to disable Hub to Hub auto peering within the same organization.?

 

3. Can site to site firewall rules be used to block autovpn traffic to and  from the other countries?

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

I think this might be heading towards a lot of complexity and special configs.

 

I would put each country into its own separate org.  Then there is no special config, no customisations, and everything is simple.

 

It will be almost exactly the same to administer, except you will also have an "org" drop-down box, similar to the network drop-down box.

 

PhilipDAth_0-1635710430825.png

 

View solution in original post

4 REPLIES 4
ww
Kind of a big deal
Kind of a big deal

1) meraki does not allow to have same subnets "in vpn" on spokes at 1 organization.

2) yes

3) only based on vpn ip subnets

JamesMutie
Getting noticed

@ww  1) meraki does not allow to have same subnets "in vpn" on spokes at 1 organization.

 

          This means that when I try to enable vpn mode at the spoke it will automatically refuse sees the spoke is learning  the same subnet from the hub ?

 

 

How about if I make the route more specific ? than the advertised route ?  if this works, will I then be black holing the traffic for that Spoke since I have a more specific route?

jbright
A model citizen

Meraki does support site-to-site VPN translation, but only with auto-vpn.

Please reference this document:

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation

 

You have to request Meraki support to turn this feature on.

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

I think this might be heading towards a lot of complexity and special configs.

 

I would put each country into its own separate org.  Then there is no special config, no customisations, and everything is simple.

 

It will be almost exactly the same to administer, except you will also have an "org" drop-down box, similar to the network drop-down box.

 

PhilipDAth_0-1635710430825.png

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels