Figure 5-10 shows the Security & SD-WAN > Site-to-Site VPN page of a network configured as an Auto VPN spoke pointing back to two different hub devices, with the primary hub configured as a default route (full tunnel). For many sites, this is nearly all the configuration required to establish the Auto VPN topology across the organization.

Figure 5-10 Example Auto VPN Configuration Showing a Spoke Site Configured for Two Hubs, One of Which Is Configured with a Default Route/Full Tunnel Configuration

When you’re configuring Auto VPN from the Dashboard UI, the VPN Settings section of the Site-to-Site VPN page makes it easy to select the local subnets that are allowed to participate in the VPN topology by simply selecting either Enabled or Disabled from the VPN Mode drop-down list for each subnet at each site, as shown in Figure 5-11, where only one of the four local subnets is configured for VPN access.

Pro Tip

You can also define VPN access for each subnet by editing the subnet on the Security & SD-WAN > Addressing & VLANs page.

Figure 5-11 VLAN/Subnet Availability Configuration for an Auto VPN–Enabled Peer

This configuration option helps to reduce the number of unique subnets required across sites, as VLANs/subnets that do not require VPN access can be reused across locations and only the VPN-enabled subnets require a unique address space within the organization. This is especially useful for templated networks, which are discussed further in Chapter 4, “Automating the Dashboard.”

Additionally, Meraki makes it easy to create a full tunnel Auto VPN configuration. By simply checking the IPv4 Default Route box for the related Auto VPN hub, all client traffic will automatically be routed across the Auto VPN connection to the selected hub to be forwarded to the destination. This greatly simplifies the configuration by removing the need to explicitly advertise a default route from each hub, as required in a more traditional deployment. If the IPv4 Default Route box is not checked, only traffic destined for advertised VPN subnets will be routed across the VPN.

Pro Tip

More advanced deployments like those utilizing DC-DC failover may still require manual route advertisement configuration to allow for proper route tracking and failover.

Leave a Reply

Your email address will not be published. Required fields are marked *

Explore More

Deploying Meraki Auto VPN – MX and MG Best Practices – Cisco Meraki

As briefly discussed earlier in this chapter, Meraki Auto VPN is a proprietary Meraki technology that automates VPN tunnel creation and management by utilizing the power of the Meraki Dashboard

Automated MR Naming Based on Upstream Switch – Automating the Dashboard – Cisco Meraki

This example demonstrates how easy it can be to automatically update a device name to reflect the location of that device in the network. Similar to the previous example that

Syslog – Automating the Dashboard – Cisco Meraki

Similar to using webhooks, you can use syslog messages to trigger outside automation based on network events and alerts. The primary differences between using webhooks and syslog for automation are