Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

VPN setting with non-meraki VPN hub and all MX spokes

play_trumpet
Comes here often
‎Jan 5 2020 10:56 PM
‎Jan 5 2020 10:56 PM

VPN setting with non-meraki VPN hub and all MX spokes

Hi all,

 

I'm considering VPN configuration with following topology.

 

Branch1(spoke/MX)------+     (    )

Branch2(spoke/MX)------+  (         )  + DC1(Hub/ASA)

Branch3(spoke/MX)------+ (Internet)

Branch4(spoke/MX)------+  (          ) + DC2(Hub/ASA)

Branch5(spoke/MX)------+     (    )

.....

 

MXes on Branches only need to establish S2S VPN connection to DC1 and DC2.

i.e. No VPN connections between branches are required.

 

Now I've tried to configure non-meraki VPN peers while disabling auto-VPN feature by setting VPN Type to "Off". But non-meraki VPN setting menu appears only when I set the Type to "Hub(mesh)"...

 

* GUI Example1: When the type is set to "Off"...

off.png

 

* GUI Example2" When the type is set to "Hub"...

Hub.png

 

Is it expected result? 

Could anyone tell me how to configure S2S VPN sessions like the topology?

0 Kudos
Subscribe
3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 5 2020 11:39 PM
‎Jan 5 2020 11:39 PM

This is the expected behaviour.  Actually only one has to be in hub mode and the others in spoke mode however this will result in the branches having a VPN built between themsleves.

 

This is also a really hard way of doing this.  If you have less than 50 branches you could put a low cost MX64 or MX67 into each DC in one arm VPN concentrator mode, and use AutoVPN instead to solve this.  It would be a lot less work, and you would gain the benefits of SD-WAN, monitoring and visibility.

 

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide 

0 Kudos
Subscribe
In response to PhilipDAth
play_trumpet
Comes here often
‎Jan 6 2020 12:42 AM
‎Jan 6 2020 12:42 AM

Hi PhilipDAth

Thanks for the comment. But ASA is already installed at DC and working with other non-meraki branches. Is there no way to configure MX as spoke that they'll have VPN session only to ASAs in primary/secondary DC?
0 Kudos
Subscribe
In response to play_trumpet
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 6 2020 12:50 AM
‎Jan 6 2020 12:50 AM

>Is there no way to configure MX as spoke that they'll have VPN session only to ASAs in primary/secondary DC?

 

No.  You can configure firewall rules to block spoke to spoke traffic.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior 

 

Your experiencing this dilemna because your network design is not appropriate for the solution being deployed.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.