non-Meraki VPN peer

ninny
Conversationalist

non-Meraki VPN peer

Hello,

Hoping someone else has encountered this and can offer some guidance.  

 

I have a client that has two organizations.  Org 1 has their MX's which is managed by their ISP.  Org 2 has all of their other Meraki gear (switches, AP's, mobile gateway etc..)

 

Org 1 uses per device licensing

Org 2 uses co-term licensing

 

The client is looking to eventually move away from the ISP managing their firewalls because they really are not providing any management anyways.   

 

The client is setting up a new location so is looking to introduce a 3rd firewall.  Since they are looking to migrate away from their ISP for management, the idea was to put the new MX in org 2 and establish a non-meraki VPN peer to the other two sites. 

 

According to support, failover is not supported on non-meraki.   So I guess that means the option to use FQDN with version 18.1 or later is JUST for clients with DHCP.  This client has two MX100's in active/standby at both locations in org 1.  

 

So given this information, our next idea was to accept this risk of not having the 3rd site form a VPN tunnel on our backup WAN and once the contract is up with the ISP we could then pull in and license the MX100's in org 2 and use Auto-VPN.  


Problem is, it looks like the non-meraki peer configuration is organizational wide.   So I can only get the VPN to pin up to one network or the other within Org 1 from Org2. I'm not sure why it would ever be an organization wide setting - it should be a network wide setting right??? 

 

So I think the only way to solve this is to move the device from org2 (co-term) to org1 (per device) and use the auto-vpn feature.  Then when the contract is up with the ISP, move the device and licensing back under org2. 

 

Just wanted to check with the community to make sure I wasn't missing a simple fix here.


Thanks!

3 Replies 3
alemabrahao
Kind of a big deal
Kind of a big deal

Using two different Organizations and establishing a non-Meraki tunnel is not a good strategy, as you end up losing everything that SD-WAN offers due to the limitation that the non-Meraki VPN has, so yes, this is the best strategy, putting everything in a single organization.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
jamesjeon069
Comes here often

Could you elaborate on the limitation that the non-Meraki VPN in comparison to using the Auto-VPN?

 

I understand that the Auto-VPN uses the Meraki VPN registry to cache their VPN connectivity which helps the continuous usage in case of a VPN tunnel down as well as the failover to the secondary VPN tunnel, whereas the non-Meraki VPN does not offer these features (correct me if I am wrong)

 

Aside from that, is there any limitations in using non-Meraki VPN specifically for monitoring purposes?

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Although non-Meraki VPNs are configured org-wide - you can control which networks use the VPN with tags.
https://meraki.cisco.com/blog/2015/01/now-in-the-meraki-mx-vpn-tagging/ 

 

PhilipDAth_0-1702837799871.png

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels