VPN Hubs connecting automatically

SOLVED
CH_Director
Conversationalist

VPN Hubs connecting automatically

Our organization is using MX firewalls in a mixed environment with ASA and others.  When we enable VPN to establish a non meraki peer tunnel the meraki devices connect to each other.  I am wondering if there is a way to disable this feature.  In speaking with support it was suggested to create organizations for each network, but this would make management much more difficult.  Does anyone know how to stop MX devices from automatically establishing vpn connectivity to one another?

1 ACCEPTED SOLUTION

I think it rather has to do with the fact that the Meraki MX is not the hub site but rather a spoke.  But in the VPN config you need to at least enable one MX as a hub and let every other MX connect to at least one hub.  So you're forced to have that extra VPN connection even though you don't have the intention of using it.

So it's rather an architectural issue because you can't really enable autoVPN unless support has a way to do this?

View solution in original post

10 REPLIES 10
Uberseehandel
Kind of a big deal

Is this not what you are looking for?

 

S2S VPN Off.jpg

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel


@Uberseehandel wrote:

Is this not what you are looking for?

 

S2S VPN Off.jpg


What's the (disabled)? Is that just part of the name of the network?

(disabled)

 

definitely not part of the name

 

From the other end of the S2S link

 

S2S VPN Spoke.jpg

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

I think it rather has to do with the fact that the Meraki MX is not the hub site but rather a spoke.  But in the VPN config you need to at least enable one MX as a hub and let every other MX connect to at least one hub.  So you're forced to have that extra VPN connection even though you don't have the intention of using it.

So it's rather an architectural issue because you can't really enable autoVPN unless support has a way to do this?

Thanks Joe.  That is the way I have configured now.  I have one office which they actually benefit from connecting to as there is a domain controller  on prem so it is actually providing some additional AD replication.

 

Thanks for your help and taking the time to reply.

Kenneth
Getting noticed

The way to do this would be to go out to your edge MX´s and configure them as spokes, when you have selected spoke you scroll down the same page to Org.wide setting where you will find the NON-Meraki VPN peer. Here you can add the VPN hubs or concentrators needed. Since the MX have no Meraki VPN hub that promotes VLANS it should not connect to each other either.


@Kenneth wrote:

The way to do this would be to go out to your edge MX´s and configure them as spokes, when you have selected spoke you scroll down the same page to Org.wide setting where you will find the NON-Meraki VPN peer. Here you can add the VPN hubs or concentrators needed. Since the MX have no Meraki VPN hub that promotes VLANS it should not connect to each other either.


As @GIdenJoe correctly states, you're obliged to select at least one hub. So you can't set all as spoke.

GIdenJoe
Kind of a big deal
Kind of a big deal

@Kenneth , I haven't seen the possibility to do that.  When configuring as spoke you need to define a hub of it doesn't take the config.

Thanks I realize that.  I was asking if there were a way to disable other than moving the network to another org which was tier 1's solution.

Thanks,  I have it configured in this manner now.  I appreciate the help.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels