Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About wdepauw
wdepauw
Comes here often
Member since May 2, 2018
06-11-2018
Community Record
7
Posts
0
Kudos
0
Solutions
Badges
05-30-2018
11:09 AM
Hi, Our customer would like to have the following hub and spoke setup In the spoke MX there will be 2 VPN tunnels VPN tunnel 1 : Going to the hub ( autovpn with another MX appliance configured as hub). => The hub will announce the default route VPN tunnel 2: Going Zscaler ( non-meraki peer) => The goal is that the guest traffic ( LAN subnet1) will be routed to the Zscaler for verification so I would like to implement a policy that says => if coming from LAN subnet1 then push the traffic into VPN tunnel2 I have the impression that you can only do policy-routing based using a specific interface and not a VPN tunnel. Is the above scenario possible ? gr wim
... View more
05-03-2018
12:15 AM
ok because I understood from the documentation that when you run the VPN concentrator mode you need to protect it from the internet because the FW functionality is not working. Is it different then for the VMx ? Placing an MX appliance in Passthrough mode at the perimeter of your network with a publicly routable IP address is not recommended and can present security risks. As a best practice, Passthrough mode MX appliances should always be deployed behind an edge firewall. => since the spokes will connect over the internet towards the vmx hub I need a publicly routable IP address gr wim
... View more
05-02-2018
11:41 PM
pressed enter a little bit to quick 🙂 I've added a drawing for clarification tx Wim
... View more
05-02-2018
11:39 PM
Hi, Tx for the reply, I would put a FW in between the Vmx and VPC router so the Vmx is protected from the internet => In that case the default gateway would point to the FW => I would also enable OSPF on the Vmx . This would mean that the spoke routes are advertised to the MPLS router so the MPLS router knows how to reach the spoke sites.
... View more
05-02-2018
07:29 AM
Hi, Tx for the quick reply , in the vpn configuration you have the local networks which you can advertise. Is this like a cisco router where it needs to be available if you want to advertise it ? I assume that you are pointing to this chapter in the documentation ? Full Tunnel In full tunnel mode all traffic that the branch or remote office does not have another route to is sent to a VPN hub. Note: This is not supported for virtual MX VPN concentrators operating within Azure.
... View more
05-02-2018
05:54 AM
Hi, I'm working on a design for a customer and they want to place 2* Vmx in AWS and terminate the VPN tunnels of +/-120 remote sites on these Vmx's. => The Vmx will be used as a hub => In the branches there will be small MX appliances working in NAT mode Traffic from a spoke should follow the path: - Traffic from spoke will be encrypted in autovpn tunnel and routed to the highest priority Vmx. If the Vmx Hub would fail then it puts the traffic towards the 2nd Vmx Hub. - Traffic will be decrypted in the hub VMx and should be routed towards a connected (virtual) MPLS router - From the MPLS router it will be forwarded into the MPLS cloud to one of their DC's I understood from the documentation that the Vmx can only work in VPN concentrator mode ( L2 bridging), and with this mode routing is disabled. => This means that the Vmx will not known about the routes behind the virtual MPLS router and I think he will drop the traffic. In my (humble) opinion the Vmx is not made for this setup, in the VPN concentrator mode the Vmx can reach the local attached subnets but it can route traffic to another router. Am I correct in this ? Or is there another solution with the Vmx ? Another problem is that the return traffic should be able to reach the correct Vmx otherwise there is a risk that the traffic is routed over autovpn tunnel 1 ( with Vmx Hub1) and the return traffic from the DC will come on Vmx Hub2 => I don't know how the Vmx will react on assymetric traffic. Did anybody have a setup like this ? gr wim
... View more
