Two default routes ?

Xavier_o
Comes here often

Two default routes ?

Can I have 2 (or more) default routes on MX appliance to two (or more) non Meraki IPsec tunnels ? 

7 REPLIES 7
ww
Kind of a big deal
Kind of a big deal

Never used it myself. But the config accepts it. So i would say yes.

Aaron_Wilson
A model citizen

2 default routes where? Advertised from hubs over AutoVPN?

PhilipDAth
Kind of a big deal
Kind of a big deal

Check out this article about non-Meraki VPN failover.

https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover 

Thanks, Phillip, that's really interesting but this is not exactly what I need if I am correct.

 

If I have 4 local subnets, I need to send all the traffic (default route) to a branch ONE with a failover IP (in case the main IPsec tunnel falls) and at the same time, those 4 subnets need to access a couple of servers on brach TWO (over 3rd IPsec tunnel).

So I would have 2 default routes to branch ONE with different priorities (for failover) and 3rd route just to access IP range on branch TWO. 3 tunnels and 3 static routes.

Only our office is with MX appliance so this would be non-Meraki VPN tunnels.

It cannot be done from what I was reading?

 

Thanks.

Bruce
Kind of a big deal

I don’t believe you are going to be able to easily manipulate the default route the way that you want. You need to be aware of this:

 

  • Note that if an MX-Z device is configured with a default route (0.0.0.0/0) to a Non-Meraki VPN peer, traffic will not fail over to the WAN, even if the connection goes down.

Which comes from this document, https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings, under non-Meraki VPN peers. You may be able to achieve something with API and scripting as per the link Philip posted, but I believe that will be the closest you can get.

Xavier_o
Comes here often

Thanks Bruce,

Note that if an MX-Z device is configured with a default route (0.0.0.0/0) to a Non-Meraki VPN peer, traffic will not fail over to the WAN, even if the connection goes down.

 

My intention was that it will fail-over to another IPsec tunnel if the primary is down.

 

But I realise that this won't work anyway as before being worried about 2nd default route I can't even get some traffic over 2nd IPsec tunnel. Seems like I can have only 1 non-Meraki IPsec working...

I cannot have the next hope as a VPN tunnel interface...

 

Bruce
Kind of a big deal

Routes over non-Meraki VPNs are built through the configuration of the VPN (the remote subnets), and you can’t configure static routes to a VPN as the next hop. And you can’t have two remote subnets that are the same, which makes it difficult to have a backup and a spare IPSec tunnel (although you may be able achieve this if you can arrange your IP address scheme so you can have a /23 and a /24 that overlap - haven’t tried it myself).

 

So you can have multiple non-Meraki VPN peers, they just need to be to different IP subnets.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels