L3 Switching Effects on S2S VPNs

Here to help

L3 Switching Effects on S2S VPNs

Good Day All, 

I trust you are doing well.

I am slightly rusty on this topic and have some questions around handling inter-Vlan routing via L3 switches instead of the MX appliance, and the impact that will have on S2S VPNs.


I would like to shift the routing load off of the MX appliances by moving the routing and ACLs into the distribution later. But the site has a S2S Meraki Auto-VPN presence and is sharing subnets over the tunnel. I'm unfamiliar with the effect or additional steps I would need to take to not negatively impact the deployment. I'm not sure if this approach is even feasible with branches using S2S connections.

Any advice or direction would be greatly appreciated. 

1 Accepted Solution
Kind of a big deal
Kind of a big deal

You can mark static routes to be included in VPNs.




View solution in original post

6 Replies 6
Kind of a big deal
Kind of a big deal

Who knows the routes to the tunnel networks is MX (as I believe the S2S VPN is configured on it.

In this case you need to create a link (transit VLAN) network between the MX and the Switch and then configure the route to the S2S VPN networks on the Switch pointing to the MX IP as the next hop.

It's pretty basic routing to be honest.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Thank you for this, I've read up about this since the post. 

But I wasn't sure how the subnets would be advertised to the connecting site.

Normally you'd just see the Subnet and Tagged Vlan and select Enabled in Configure -> Site-to-Site VPN. 
Because I don't have a lab environment to test this, I was unsure how to test and share the routes over VPN.

Getting noticed

I think your setup is this way:

AutoVPN to the other sites

VLAN interfaces on the MX needed for inter-VLAN routing

VLAN interfaces configured with VPN enabled in the AutoVPN configuration


The new setup:

Delete the VLAN interfaces on the MX

Configure a transit-VLAN between MX and MS

Configure VLAN interfaces on the MS

Set static routes to the networks  behind the MS. Gateway is the L3 interface for the transit-VLAN.

Configure the appropriate VLANs as VPN enabled

Kind of a big deal
Kind of a big deal

You can mark static routes to be included in VPNs.




Yes, of course. It's another way (and shorter) with the same result as configuring the subnets as VPN enabled.

Thank you very much for this. I see that when you do this, you'll see the static routes appear in the Configure->S2S VPN page. So the process is actually super straightforward. A slight lack of experience there on my behalf. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.