Figure 5-10 shows the Security & SD-WAN > Site-to-Site VPN page of a network configured as an Auto VPN spoke pointing back to two different hub devices, with the primary hub configured as a default route (full tunnel). For many sites, this is nearly all the configuration required to establish the Auto VPN topology across the organization.
Figure 5-10 Example Auto VPN Configuration Showing a Spoke Site Configured for Two Hubs, One of Which Is Configured with a Default Route/Full Tunnel Configuration
When you’re configuring Auto VPN from the Dashboard UI, the VPN Settings section of the Site-to-Site VPN page makes it easy to select the local subnets that are allowed to participate in the VPN topology by simply selecting either Enabled or Disabled from the VPN Mode drop-down list for each subnet at each site, as shown in Figure 5-11, where only one of the four local subnets is configured for VPN access.
Pro Tip
You can also define VPN access for each subnet by editing the subnet on the Security & SD-WAN > Addressing & VLANs page.
Figure 5-11 VLAN/Subnet Availability Configuration for an Auto VPN–Enabled Peer
This configuration option helps to reduce the number of unique subnets required across sites, as VLANs/subnets that do not require VPN access can be reused across locations and only the VPN-enabled subnets require a unique address space within the organization. This is especially useful for templated networks, which are discussed further in Chapter 4, “Automating the Dashboard.”
Additionally, Meraki makes it easy to create a full tunnel Auto VPN configuration. By simply checking the IPv4 Default Route box for the related Auto VPN hub, all client traffic will automatically be routed across the Auto VPN connection to the selected hub to be forwarded to the destination. This greatly simplifies the configuration by removing the need to explicitly advertise a default route from each hub, as required in a more traditional deployment. If the IPv4 Default Route box is not checked, only traffic destined for advertised VPN subnets will be routed across the VPN.
Pro Tip
More advanced deployments like those utilizing DC-DC failover may still require manual route advertisement configuration to allow for proper route tracking and failover.