Home > Security Appliances > Site-to-site VPN > Configuring Hub-and-spoke VPN Connections on the MX Security Appliance

Configuring Hub-and-spoke VPN Connections on the MX Security Appliance

Site-to-site VPN connections between MX Security Appliances and/or Z1 Teleworker Gateways will automatically form a mesh topology between all VPN-enabled peers in the same Dashboard organization by default. This is often undesirable because such connections establish unnecessary IPSec tunnels between remote sites and create performance-degrading networking overhead.

In these cases it is best to configure Site-to-site VPN topology for Hub and spoke, which designates the datacenter MX as the "hub" and all remote sites as the "spoke". This model can be useful in organizations where several auxiliary sites require a connection to the HQ or datacenter-located concentrator, pictured below.

037fbc44-0e31-43bf-9766-e515fd4630e2

Figure 1. Split tunnel w/ Hub-and-Spoke (connect directly to one peer). VPN connections (blue) are established to only one peer (top). Traffic to the internet (black) goes out locally from each site.

2edf20e9-4e40-4adb-be89-ad97f8d35660

Figure 2. Full tunnel w/ Hub-and-Spoke (connect directly to one peer). VPN connections (blue) are established to only one peer (top). Traffic to the internet (black) goes out from a central concentrator/hub (top).

Although each remote location is not connected directly in this method, remote sites can still connect with each other via the hub by default. This article covers:

  • Hub and spoke VPN setup and configuration
  • Limiting connections between Spokes

Hub and Spoke VPN Setup and Configuration

Note: Hub and spoke topologies are currently only supported between Meraki MXes, non-Meraki VPN peers cannot be configured as spokes.

The MX features a hub-and-spoke option for its MX to MX VPN.  To implement Hub-and-spoke the network administrator needs to follow these steps:

  1. Set up the hub MX Device
    1. Navigate to the Dashboard Network of the MX that will act as the hub. 
    2. Navigate to Security appliance > Configure > Site-to-Site VPN
    3. Set the Type to Hub:
    4. (Optional) If another MX in the organization is also configured as a hub, it can be added as an Exit hub. If configured, all VPN client traffic to this MX will be tunneled to the specified exit hub.
    5. Configure any other VPN settings desired (local networks, NAT traversal, etc)
    6. Save.
  2. Set up the spoke MX Device
    1. Navigate to the Dashboard Network of the MX that will act as the spoke. 
    2. Navigate to Security appliance > Configure > Site-to-site VPN.
    3. Set the Type to Spoke:
    4. Select the hub MX under the Name drop-down. Multiple hubs can be added and prioritized in descending order.
    5. Select at least one hub for a Default Route:
      • If a hub is not configured as a default route, the spoke will only send traffic to this hub when the destination subnet is advertised by the hub.
      • If a hub is configured as a default route, any traffic that is not destined for a higher-priority hub will be sent by default to this hub.
    6. Configure any other VPN settings desired (local networks, NAT traversal, etc)
    7. Save.

 

Once Saved, the MX set as "Spoke" will form a VPN tunnel with the specified hub(s).

Limiting Connections Between Spokes

In the event you need to limit branch office communication, configure Site-to-site firewall rules.  You can edit the Site-to-site firewall from any MX network.  This can be done at Security appliance > Configure > Site-to-site VPN > Organization Wide Settings > Site to Site Firewall Rules.

This will allow you to limit the communication between spokes in the way you desire. In this particular example we have prevented site A from communicating with B and C in either direction, while allowing sites B and C to talk through the hub. If you want to deny the traffic from each spoke, you must set up a rule both ways (from hub sub net to hub sub net).

You must to post a comment.
Last modified
11:12, 27 Jul 2017

Tags

Classifications

This page has no classifications.

Article ID

ID: 1484

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community