vMX100 VPN-hub

SOLVED
Stefan_Tabell
Conversationalist

vMX100 VPN-hub

Dear Colleagues,

 

I have a question about the VPN-hub, firewall and OSPF function of the vMX100. 

 

If I have MX64 and Z1 at the branches connecting with VPN-tunnels to a vMX100 in Azure with OSPF Advertise remote routes enabled, does this mean that that it will advertise the routes it learns from the branches will be advertised back to the branches over the tunnels?

 

For example:

Site A - vMX100

Site B - Z1

Site C - MX64

 

B --- [VPN] --- A --- [VPN] --- C

 

Will site B learn about the subnet in site C without static routes configured anywhere?

 

Is there any possibility to add L3 firewall rules between these from the vMX100?

1 ACCEPTED SOLUTION
GreenMan
Meraki Employee

By default the branches (spokes) will learn the routes for all the other branches (though it doesn't actually use OSPF to achieve that - they would still be able to reach them, even with OSPF disabled).

It is possible to have Support configure a back-end setting to prevent spokes from learning about subnets at other spokes, if you so wish - in some large solutions, this saves resources on the 'smaller' MX models.  bear in mind - even with that configured, if you advertised a supernet which included all your branch subnets, from the vMX Hub, each spoke would still be able to reach other spoke.

You can indeed filter the traffic flowing over the AutoVPN tunnels though, even if the routes are available, using VPN firewall rules, configured under Security appliance > Configure > Site-to-site VPN

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

 

Remember too, when using OSPF - it's a one-way street;  the Spokes do not automatically learn what subnets you're using for your services, within the cloud DC.  You have to configure those as Local networks at the Hub.

 

View solution in original post

1 REPLY 1
GreenMan
Meraki Employee

By default the branches (spokes) will learn the routes for all the other branches (though it doesn't actually use OSPF to achieve that - they would still be able to reach them, even with OSPF disabled).

It is possible to have Support configure a back-end setting to prevent spokes from learning about subnets at other spokes, if you so wish - in some large solutions, this saves resources on the 'smaller' MX models.  bear in mind - even with that configured, if you advertised a supernet which included all your branch subnets, from the vMX Hub, each spoke would still be able to reach other spoke.

You can indeed filter the traffic flowing over the AutoVPN tunnels though, even if the routes are available, using VPN firewall rules, configured under Security appliance > Configure > Site-to-site VPN

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

 

Remember too, when using OSPF - it's a one-way street;  the Spokes do not automatically learn what subnets you're using for your services, within the cloud DC.  You have to configure those as Local networks at the Hub.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels