Meraki

Community

VPN Hubs connecting automatically

Solved
CH_Director
Conversationalist
‎Jul 31 2019 5:23 AM
‎Jul 31 2019 5:23 AM

VPN Hubs connecting automatically

Our organization is using MX firewalls in a mixed environment with ASA and others.  When we enable VPN to establish a non meraki peer tunnel the meraki devices connect to each other.  I am wondering if there is a way to disable this feature.  In speaking with support it was suggested to create organizations for each network, but this would make management much more difficult.  Does anyone know how to stop MX devices from automatically establishing vpn connectivity to one another?

0 Kudos
1 Accepted Solution
In response to Uberseehandel
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jul 31 2019 6:40 AM
‎Jul 31 2019 6:40 AM

I think it rather has to do with the fact that the Meraki MX is not the hub site but rather a spoke.  But in the VPN config you need to at least enable one MX as a hub and let every other MX connect to at least one hub.  So you're forced to have that extra VPN connection even though you don't have the intention of using it.

So it's rather an architectural issue because you can't really enable autoVPN unless support has a way to do this?

View solution in original post

10 Replies 10
Uberseehandel
Kind of a big deal
‎Jul 31 2019 6:02 AM
‎Jul 31 2019 6:02 AM

Is this not what you are looking for?

 

S2S VPN Off.jpg

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
0 Kudos
In response to Uberseehandel
BrechtSchamp
Kind of a big deal
‎Jul 31 2019 6:39 AM
‎Jul 31 2019 6:39 AM

@Uberseehandel wrote:

Is this not what you are looking for?

 

S2S VPN Off.jpg

What's the (disabled)? Is that just part of the name of the network?

0 Kudos
In response to BrechtSchamp
Uberseehandel
Kind of a big deal
‎Jul 31 2019 6:51 AM
‎Jul 31 2019 6:51 AM

(disabled)

 

definitely not part of the name

 

From the other end of the S2S link

 

S2S VPN Spoke.jpg

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
0 Kudos
In response to Uberseehandel
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jul 31 2019 6:40 AM
‎Jul 31 2019 6:40 AM

I think it rather has to do with the fact that the Meraki MX is not the hub site but rather a spoke.  But in the VPN config you need to at least enable one MX as a hub and let every other MX connect to at least one hub.  So you're forced to have that extra VPN connection even though you don't have the intention of using it.

So it's rather an architectural issue because you can't really enable autoVPN unless support has a way to do this?

In response to GIdenJoe
CH_Director
Conversationalist
‎Aug 1 2019 5:50 AM
‎Aug 1 2019 5:50 AM

Thanks Joe.  That is the way I have configured now.  I have one office which they actually benefit from connecting to as there is a domain controller  on prem so it is actually providing some additional AD replication.

 

Thanks for your help and taking the time to reply.

Kenneth
Getting noticed
‎Jul 31 2019 6:46 AM
‎Jul 31 2019 6:46 AM

The way to do this would be to go out to your edge MX´s and configure them as spokes, when you have selected spoke you scroll down the same page to Org.wide setting where you will find the NON-Meraki VPN peer. Here you can add the VPN hubs or concentrators needed. Since the MX have no Meraki VPN hub that promotes VLANS it should not connect to each other either.

0 Kudos
In response to Kenneth
BrechtSchamp
Kind of a big deal
‎Jul 31 2019 6:50 AM
‎Jul 31 2019 6:50 AM

@Kenneth wrote:

The way to do this would be to go out to your edge MX´s and configure them as spokes, when you have selected spoke you scroll down the same page to Org.wide setting where you will find the NON-Meraki VPN peer. Here you can add the VPN hubs or concentrators needed. Since the MX have no Meraki VPN hub that promotes VLANS it should not connect to each other either.

As @GIdenJoe correctly states, you're obliged to select at least one hub. So you can't set all as spoke.

0 Kudos
In response to Kenneth
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jul 31 2019 6:51 AM
‎Jul 31 2019 6:51 AM

@Kenneth , I haven't seen the possibility to do that.  When configuring as spoke you need to define a hub of it doesn't take the config.

0 Kudos
In response to GIdenJoe
CH_Director
Conversationalist
‎Aug 1 2019 5:47 AM
‎Aug 1 2019 5:47 AM

Thanks I realize that.  I was asking if there were a way to disable other than moving the network to another org which was tier 1's solution.

0 Kudos
In response to Kenneth
CH_Director
Conversationalist
‎Aug 1 2019 5:51 AM
‎Aug 1 2019 5:51 AM

Thanks,  I have it configured in this manner now.  I appreciate the help.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.