Figure 5-10 shows the Security & SD-WAN > Site-to-Site VPN page of a network configured as an Auto VPN spoke pointing back to two different hub devices, with the primary hub configured as a default route (full tunnel). For many sites, this is nearly all the configuration required to establish the Auto VPN topology across the organization.

Figure 5-10 Example Auto VPN Configuration Showing a Spoke Site Configured for Two Hubs, One of Which Is Configured with a Default Route/Full Tunnel Configuration

When you’re configuring Auto VPN from the Dashboard UI, the VPN Settings section of the Site-to-Site VPN page makes it easy to select the local subnets that are allowed to participate in the VPN topology by simply selecting either Enabled or Disabled from the VPN Mode drop-down list for each subnet at each site, as shown in Figure 5-11, where only one of the four local subnets is configured for VPN access.

Pro Tip

You can also define VPN access for each subnet by editing the subnet on the Security & SD-WAN > Addressing & VLANs page.

Figure 5-11 VLAN/Subnet Availability Configuration for an Auto VPN–Enabled Peer

This configuration option helps to reduce the number of unique subnets required across sites, as VLANs/subnets that do not require VPN access can be reused across locations and only the VPN-enabled subnets require a unique address space within the organization. This is especially useful for templated networks, which are discussed further in Chapter 4, “Automating the Dashboard.”

Additionally, Meraki makes it easy to create a full tunnel Auto VPN configuration. By simply checking the IPv4 Default Route box for the related Auto VPN hub, all client traffic will automatically be routed across the Auto VPN connection to the selected hub to be forwarded to the destination. This greatly simplifies the configuration by removing the need to explicitly advertise a default route from each hub, as required in a more traditional deployment. If the IPv4 Default Route box is not checked, only traffic destined for advertised VPN subnets will be routed across the VPN.

Pro Tip

More advanced deployments like those utilizing DC-DC failover may still require manual route advertisement configuration to allow for proper route tracking and failover.

Leave a Reply

Your email address will not be published. Required fields are marked *

Explore More

SNMP – Automating the Dashboard – Cisco Meraki

SNMP is also a potential option that can be employed for automation with any Meraki platform. One notable difference between SNMP and webhooks or syslog is that when using SNMP,

MX Scaling – MX and MG Best Practices – Cisco Meraki

When designing a deployment and determining the appropriate model of edge device to choose, there are multiple aspects to take into consideration regarding not only the current requirements of a

Network-wide and Uplink Health – Building a Scalable Foundation with Dashboard – Cisco Meraki

To get to the detailed reports and data for a given network in an organization, click the network name from the Organization Summary or Organization Overview page, or select the