VPN Subnet Translation

Jamest201
Here to help

VPN Subnet Translation

Hi, we currently have an MPLS with another 3rd party and I'm slowly moving away from it to meraki SD-wan.

 

The last piece of the puzzle is routing traffic to our dealer management system (DMS, we're a car dealer) which is the 3rd party network, we are going to take away all their routers on our sites aside from 2, one is to feed all this DMS traffic out and all other sites will talk to this via the SD-wan and the other we are looking to have as a failover. The 3rd party has said we can do this but their 2 routers need to exist on the same subnet and need to be able to talk to one another, so I'm trying to implement vpn subnet translation.

I have created the same subnets at sites A and B, at site A I have included the required Vlan in the VPN with translation, but how do I setup site B?

 

It will not let me include it at all in the vpn. I think I have misunderstood how this works.

 

James

6 Replies 6
Seshu
Meraki Employee
Meraki Employee

Hello @Jamest201 

 

Since you have the same Subnet declared on 2 sites, the VPN Subnet Translation has to be done on both sides of the VPN tunnel to be able to enable that VLAN over VPN. Please try that and let me know if you see any issues.

 

Regards,

Seshu

Meraki Team

Jamest201
Here to help

So I have translated it on site B so both in the VPN now, however they cannot talk. Would I need to address them by their translated addresses? Where in the dashboard can I see the translated address?

Seshu
Meraki Employee
Meraki Employee

Hello James,

 

Each site should be trying to reach out to the other side's translated address. So, if you have translated 10.10.10.0/24 to 192.168.10.0/24, the last octet will remain the same for any client. For example, 10.10.10.200 will be 192.168.10.200. Please try this and let me know if you are still unable to get across on the VPN tunnel. 

 

There may be a bigger routing issue at stake here. I am only recommending this for the traffic on those VLANs could traverse the VPN tunnel. 

 

Regards,

Seshu 

Meraki Team

Jamest201
Here to help

@SeshuYes that makes sense, I can ping using the translated ip address. Thats not gonna work for HSRP on the 3rd party side then. Back to the drawing board but thanks for clearing that up.

PhilipDAth
Kind of a big deal
Kind of a big deal

I don't think you are going to work around this.

 

The provider of the DMS routers architecture does not support this.  Their HA is only supported via a single site.  I bet you will have grief trying to make it work in a way it is not designed.

 

Let's try flipping it around.  Ask them if you can put a "router" in their DC.  If so, install your own Internet feed and an MX configured as a hub.  You could even use a pair of them if you are keen.

As a bonus, this will probably work out cheaper than paying for the WAN and router.  As a double bonus, this will allow all your sites to talk directly to the DMS and be more redundant - and a supported architecture.

Jamest201
Here to help

@PhilipDAthI think you might be right, putting a router in their DC isnt going to be an option unfortunately.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels