Z3 Concurrently Active VPN Tunnel

FlyingFrames
Getting noticed

Z3 Concurrently Active VPN Tunnel

Trying to find out if Z3 supports concurrently active VPN tunnels.

 

Based on datasheet it supports in single WAN uplink & some docs clearly say:

 

"An SD-WAN-enabled MX will form concurrently active AutoVPN tunnels across both of its uplinks to each of its individual AutoVPN peers' uplinks."

 

However since Z3 does not support two uplinks but does support multiple hubs, so its confusing if it does support concurrently active tunnels to the configured multiple hubs.

 

Any information on failover behavior between VPN tunnels will also help.

 

Thanks in advance.

4 REPLIES 4
olvs
New here

In the past I have upgraded a active/passive PAN's that I was VPN'ed into and during a failover, my connection was not dropped. The sessions should be handed over to the passive unit and everything should continue to function. From my site I can sugges vpns without logs it has affordable prices and provides a high level of security. I use it for a long time and don't have any regrets.

GreenMan
Meraki Employee
Meraki Employee

Z3 does indeed support just a single uplink, but can form multiple tunnels over that single link - usually to different destinations (typically MX Hubs, in some form of Data Centre).   As Z3 is designed for home office use cases, I would suggest keeping this count very small - maybe 2 or 3 tunnels, but no more.

The documentation you quote around concurrently active tunnels across both uplinks relates specifically to MX (all models of which can support dual uplinks)

 

Note that the warm spare device option referred to in @olvs earlier reply, could apply to the MXs in your Data Centre, but not to Z3 (no warm spare option for Z3).    Such a setup would involve a single tunnel per remote Z3, to the active MX.   If the active MX failed, a new tunnel would be automatically built, to the standby - but traffic would be interrupted, while this happens.

It is possible to have active - active DC AutoVPN / SD-WAN designs, but that wouldn't rely solely on the Warm spare function - more on this here:   https://documentation.meraki.com/MX/Deployment_Guides/Datacenter_Redundancy_(DC-DC_Failover)_Deploym...

Thanks for the detailed reply GreenMan.

 

Agreed that Z3 cannot be in a warm spare formation at a branch.

 

Looking at this statement from the doc you shared:

 

"To leverage DC-DC failover, the branch site must have at least two hubs defined in the site-to-site VPN page that advertise the same subnet into the AutoVPN topology (split tunnel) or that the default route checkbox is selected for (full tunnel)."

 

The question now becomes, will a Z3 create tunnels to both the hubs defined, at the same time? Or will it create the tunnel to lower priority hub after the higher priority hub as failed?

 

The reason is we want to quantify if the TCP connections will drop, voice applications suffer etc. upon a DC failure.

Both tunnels will be created - and could actively carry traffic concurrently, depending on what resources are accessed and how they are advertised by the Hubs.

Failover between the tunnels will be automatic, should one drop;  the failover time will be dependent on the nature of the failure.   Whether this is disruptive to your applications will also likely depend, to a decent degree, on how sensitive the applications are to brief loss of comms.

A trial / Proof of Concept is usually recommended, with your specific blend of factors.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels