For some time now we’ve had a standard hub and spoke topology in my organization. Specifically, there were 2 hubs and around 150 spokes (they have both hubs enabled, but we don’t use default route option as there is no need for it). All local subnets we want are advertised and routed via Meraki SD-WAN (Auto VPN). And before we proceed, let’s look at this under the assumption that we are enabling AutoVPN for all local Vlans/Subnets on all locations.
Recently, there was a need to go a step further, and introduce options like DNS filtering etc. We’ve implemented SIG (Secure Internet Gateway) hubs and they’re up and running in Meraki dashboard.
Now comes the fun part: SIG connector hubs, unlike “standard” Meraki hubs, advertise default route by default. Which means, once spoke chooses a SIG hub as a hub, all traffic (except management) will be routed via that SIG hub. And as documentation says, we must NOT check the default route checkbox, otherwise there will be issues. And that’s fine.
Standard hubs and SIG connector hubs don’t have direct connectivity on by default, also explained in the documentation. Hubs by default only mesh with hubs, and SIG hubs mesh with SIG hubs. So there’s something.
What we have problem with is what happens when a standard hub selects a SIG hub as an exit hub?
We noticed that what happens now is whatever VLAN/subnet traffic is sent from the standard hub over to SIG hub does not come back. My question is, can this actually work? Or do we have to convert those two standard hubs to spokes as well, and just use SIG hubs from now?
And then for VLANS/subnets for which we want DNS filtering, we enable AutoVPN so it gets sent to SIG hubs. For others that we don’t want DNS filtering for, we don’t enable AutoVPN. Plus we can use VPN Exlusion to just not send some traffic over to SIG hubs. Am I right or am missing something here?
Hope I made myself clear on this subject. Any help would be appreciated.
Cheers,
Milos
