Meraki

Community

L3 Switching Effects on S2S VPNs

Solved
JonathanClark
Here to help
‎May 22 2024 6:18 AM
‎May 22 2024 6:18 AM

L3 Switching Effects on S2S VPNs

Good Day All, 

I trust you are doing well.

I am slightly rusty on this topic and have some questions around handling inter-Vlan routing via L3 switches instead of the MX appliance, and the impact that will have on S2S VPNs.

 

I would like to shift the routing load off of the MX appliances by moving the routing and ACLs into the distribution later. But the site has a S2S Meraki Auto-VPN presence and is sharing subnets over the tunnel. I'm unfamiliar with the effect or additional steps I would need to take to not negatively impact the deployment. I'm not sure if this approach is even feasible with branches using S2S connections.

Any advice or direction would be greatly appreciated. 

Labels:
0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 22 2024 1:10 PM
‎May 22 2024 1:10 PM

You can mark static routes to be included in VPNs.

 

PhilipDAth_0-1716408639381.png

 

View solution in original post

6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 22 2024 6:45 AM
‎May 22 2024 6:45 AM

Who knows the routes to the tunnel networks is MX (as I believe the S2S VPN is configured on it.

In this case you need to create a link (transit VLAN) network between the MX and the Switch and then configure the route to the S2S VPN networks on the Switch pointing to the MX IP as the next hop.

It's pretty basic routing to be honest.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
JonathanClark
Here to help
‎May 22 2024 6:58 AM
‎May 22 2024 6:58 AM

Thank you for this, I've read up about this since the post. 

But I wasn't sure how the subnets would be advertised to the connecting site.

Normally you'd just see the Subnet and Tagged Vlan and select Enabled in Configure -> Site-to-Site VPN. 
Because I don't have a lab environment to test this, I was unsure how to test and share the routes over VPN.

0 Kudos
pdeleuw
Getting noticed
‎May 22 2024 11:01 AM
‎May 22 2024 11:01 AM

I think your setup is this way:

AutoVPN to the other sites

VLAN interfaces on the MX needed for inter-VLAN routing

VLAN interfaces configured with VPN enabled in the AutoVPN configuration

 

The new setup:

Delete the VLAN interfaces on the MX

Configure a transit-VLAN between MX and MS

Configure VLAN interfaces on the MS

Set static routes to the networks  behind the MS. Gateway is the L3 interface for the transit-VLAN.

Configure the appropriate VLANs as VPN enabled

PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 22 2024 1:10 PM
‎May 22 2024 1:10 PM

You can mark static routes to be included in VPNs.

 

PhilipDAth_0-1716408639381.png

 

In response to PhilipDAth
pdeleuw
Getting noticed
‎May 22 2024 1:41 PM
‎May 22 2024 1:41 PM

Yes, of course. It's another way (and shorter) with the same result as configuring the subnets as VPN enabled.

0 Kudos
In response to PhilipDAth
JonathanClark
Here to help
‎May 23 2024 7:39 AM
‎May 23 2024 7:39 AM

Thank you very much for this. I see that when you do this, you'll see the static routes appear in the Configure->S2S VPN page. So the process is actually super straightforward. A slight lack of experience there on my behalf. 


Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.