Meraki Device Management over IPsec /w VxLAN

Solved
whistleblower
Building a reputation

Meraki Device Management over IPsec /w VxLAN

Hi all,

 

I`d like to know/understand if a Meraki Device (e.g.) Switch could be managed through a Layer3 Connection to a HQ location over an IPsec Tunnel - encapsulating VxLAN (the VTEP is no Cisco Meraki Device)?

 

As well I´ve a basic question about VxLAN - does the Meraki Switch need to support the VxLAN configuration (VNIs, etc.) as well or is it only needed on the VTEP?

 

thanks in advance for any help!

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

Meraki devices are managed through the dashboard.  You access the dashboard via the Internet.  Meraki devices need to also communicate via the Internet to the dashboard.

 

How you provide that connectivity to the Internet is immaterial.

View solution in original post

5 Replies 5
GIdenJoe
Kind of a big deal
Kind of a big deal

Servers, clients or other devices (like a Meraki switch) only use IP to reach other hosts or the internet.

They are not aware if their traffic is encapsulated inside a VXLAN header.

 

So in this case you should be fine 🙂

whistleblower
Building a reputation

@GIdenJoe what do you mean when you say they are not aware when their traffic is encapsulated in an VxLAN header?

because their traffic will be en-/decapsulated between firewalls which act as the VTEPs... 😅

GIdenJoe
Kind of a big deal
Kind of a big deal

It's simple: Does your computer know when it is receiving TCP data from a webserver that it is passing 12 routers on the internet and perhaps passing through an MPLS network?  No it does not.

 

Your computer if it is connected with a wire uses ethernet to talk inside it's own network which encapsulates IP if it is an IP packet.  It does not speak MPLS or VXLAN or LISP or GRE or whatever might be used upstream.  That's the whole point of using the TCP/IP and OSI reference model.

 

To give you an example like your case:
You have a Meraki switch that will serve clients on a network and the router/firewall or whatever intermediate device is a VTEP.  The Meraki switch will send UDP packets to it's known Meraki cloud servers upstream towards it's default gateway (so that is UDP inside of IP inside of ethernet).  Then the upstream device takes that packet and sees that it needs to send that packet across it's VXLAN tunnel to the VTEP at the other end.  So it encapsulates the ethernet frame inside a VXLAN header and slaps another UDP + IP + ethernet on that and routes it towards the other VTEP.

That VTEP then decapsulates the outer headers to reveal the inner packet and sends it on towards the end firewall or gateway towards the internet so the switch's packet is forwarded in the direction of the Meraki cloud.

PhilipDAth
Kind of a big deal
Kind of a big deal

Meraki devices are managed through the dashboard.  You access the dashboard via the Internet.  Meraki devices need to also communicate via the Internet to the dashboard.

 

How you provide that connectivity to the Internet is immaterial.

whistleblower
Building a reputation

great, thanks for the fast help to both of you! have a great weekend!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels