Meraki

Community

Underlying routing for one-amred VPN conentrator

Kamome
Building a reputation
‎Feb 13 2018 6:14 PM
‎Feb 13 2018 6:14 PM

Underlying routing for one-amred VPN conentrator

I'm planning to build S2S VPN Network with one-armed VPN concentrator configuration.

Simplified network topology is like below:

topology.png

In this case, I'm assuming routing config for Dist. L3 is like this:

 

   - Each site : Static to Meraki center MX

   - Default : Core L3 -> eventually goes to Internet via DC edge firewall

 

But on the other hand, I think that if routing is like above, traffic goes from DC to site loops between center VPN and dist. L3.

 

   Dist L3 : It headed to Site network. Forward it to Center VPN.

   Center VPN : Hmm, this one goes to Site network. So, I'll give it to my next hop -Dist L3- to forward it to site.

   Dist L3 : Huh, this one goes to Site network. Give it to Center VPN. (Did I saw this packet before? Kinda familiar...)

   And goes on and on....

 

Am I thinking wrong? If it's wrong, can I get some advice for underlying routing config for one-armed VPN concentrator configuration?

 

0 Kudos
2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 13 2018 8:27 PM
‎Feb 13 2018 8:27 PM

I assume these will be Meraki AutoVPN connections (Meraki to Meraki).  And yes, that will work fine.

 

This is the deployment guide:

https://documentation.meraki.com/MX-Z/Deployment_Guides/VPN_Concentrator_Deployment_Guide

0 Kudos
In response to PhilipDAth
MilesMeraki
Head in the Cloud
‎Feb 14 2018 1:18 AM
‎Feb 14 2018 1:18 AM

It'll work fine. The Distribution switch will forward "branch site" traffic back to the one-arm MX. The one-arm MX will see that the "Branch site" is reachable via auto-VPN and route to the site over the VPN connection.

 

If you want to save time from having to configure static routes on your distribution switch and if it supports OSPF, just use a linknet with OSPF running over it.

 

Any reason you're using a full tunnel approach via a hub-spoke architecture? Why not just let Internet traffic break out directly from the branch sites?

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.