Meraki

Community

Two Meraki MX hubs in existing WAN network

fsimon2
Comes here often
a week ago
a week ago

Two Meraki MX hubs in existing WAN network

I have an existing WAN network which is routed using static routes, When we had 1 MX we used it to connect hub and spoke to several other MX devices in our depot network allowing remote users access to our whole WAN, Then we decided to add a second MX in our Scottish office and split the depots between both MX. The plan being to give ourselves some resiliency in the case of one hub MX failure, we could switch over the depots to the other. WE accept that the depot would need to change their IP settings to match the hub they were connecting to.

However on configuring this, both hub MX's seem to learn each others routes even when I switched off OSPF. I'm not enough of a routing expert to know what's going on but I'm worried that my wan traffic will be using the VPN and not our internal WAN.

How can I stop this from happening.

Labels:
0 Kudos
3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

First, it doesn't sound like you need AutoVPN turned on.  Do you have any site to site VPNs or anything like that?  If you turn it off it won't try and talk between the hubs.

PhilipDAth_0-1738119364894.png

 

PhilipDAth_1-1738119389212.png

 

 

If you need it turned on, do a ping between the MXs.  Is the WAN actually faster?  This might be a non-issue.

 

If you buy some AnyConnect licences (and I strongly recommend you do because it is much better than Microsoft VPN), you can define a backup server (MX) in case the primary is down.  Users don't need to do anything.  It'll just connect to the backup.

https://community.cisco.com/t5/vpn/anyconnect-profile-editor-server-list-and-backup-servers/td-p/415...

 

The other option with AnyConnect is to just have a drop down box with both VPNs and let the users choose.

https://ifm.net.nz/cookbooks/online-anyconnect-profile-editor.html

fsimon2
Comes here often
a week ago
a week ago

Sorry I was not sufficiently clear. We only have site to site vpns , we do not use host to site vpn so no use for AnyConnect or Microsoft VPN client. Our WAN connects all of our 3 main office sites. Two of these offices have an MX250 which provides site to site vpn to about 10 depots each in a hub to spoke arrangement. None of the depots need to communicate with each other just the WAN connected sites. The two Meraki MX250 hubs dont need to communicate with each other but if they do I would prefer them to use the WAN rather than creating a VPN tunnel between themselves.

0 Kudos
fsimon2
Comes here often
a week ago
a week ago

Just to be super clear. The Meraki kit is used in the two depot networks, not in the back end WAN. Each depot has an MX68 and some MR access points.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.