In today’s interconnected world, securing communications between multiple branch offices or remote sites is essential. A site-to-site VPN concentrator allows you to efficiently manage VPN tunnels from various locations, creating a centralized, secure network. Cisco Meraki makes this process straightforward with its intuitive cloud-managed dashboard. In this guide, we’ll walk you through implementing a site-to-site VPN concentrator using the Meraki GUI — no command line needed!
What Is a Site-to-Site VPN Concentrator?
Before diving in, let’s clarify what a VPN concentrator is. In a site-to-site VPN setup, multiple remote sites connect securely to a central network. The VPN concentrator acts as the central hub, managing and terminating VPN tunnels from various spokes. This simplifies management, enhances network security, and improves scalability.
Prerequisites
To follow this tutorial, make sure you have:
- Access to the Cisco Meraki Dashboard.
- At least one Meraki MX Security Appliance deployed as the VPN concentrator.
- MX devices at remote sites configured and online.
Step 1: Log Into the Meraki Dashboard
Start by logging into your Meraki dashboard at dashboard.meraki.com. Ensure you have administrative privileges to change VPN settings.
Step 2: Select the Central MX Appliance
Navigate to Security & SD-WAN > Configure > VPN.
Here, select the MX security appliance that will serve as the concentrator. All remote sites’ VPN tunnels will connect to this MX.
Step 3: Configure the VPN Mode to “Hub (VPN Concentrator)”
Under the Site-to-site VPN section, set the Type to Hub (VPN Concentrator).
- This setting configures the MX to act solely as a VPN concentrator. It will terminate VPN tunnels but won’t route any local client traffic through itself.
Step 4: Enable Hub-to-Hub VPN Connectivity (Optional)
If your network topology requires direct VPN communication between hubs (central sites), enable Allow hub-to-hub VPN traffic.
This option allows traffic to flow directly between hub sites without going through the concentrator. For pure concentrator setups, you may leave this off to funnel all traffic through the concentrator.
Step 5: Add Remote Spoke MX Devices
Now that your central MX is set as a concentrator, you need to configure the remote MX devices as Spokes.
- Go to each remote MX’s dashboard.
- Navigate to Security & SD-WAN > Configure > VPN.
- Set the Type to Spoke under the Site-to-site VPN settings.
- Make sure that VPN participation is set to Full Mesh to connect with the concentrator properly.
Step 6: Define VPN Subnets and Routing
On the concentrator MX, specify which subnets should be routed over the VPN.
- In the VPN Settings tab, add local subnets in the Remote subnets section.
- Repeat this on each spoke device, ensuring subnets do not overlap between sites.
This step enables proper routing and segmentation of your network traffic.
Step 7: Review and Save Your Configuration
Once all settings are configured, review your VPN configuration for accuracy:
- Hub MX set as VPN Concentrator.
- Spoke MX devices set as Spoke.
- Appropriate subnets are defined.
- Optional hub-to-hub traffic setting configured.
Save your changes. The Meraki dashboard will automatically push the VPN configuration to all MX devices.
Step 8: Monitor VPN Status
Head over to Security & SD-WAN > Monitor > VPN status to view the health of your VPN tunnels.
Here you can:
- Ensure all spokes are connected.
- Monitor tunnel uptime and latency.
- Troubleshoot any connectivity issues.
Final Thoughts
Implementing a site-to-site VPN concentrator with Cisco Meraki’s GUI is refreshingly simple thanks to its cloud-based management system. Centralizing your VPN tunnels improves network security and simplifies management, especially when scaling across multiple locations. This method requires minimal configuration, no manual CLI commands, and provides instant visibility into your VPN connections.
With these steps, you’ve set the foundation for a robust, scalable, and secure VPN concentrator network that connects your sites seamlessly.
By following this guide, you’ve harnessed the power of Cisco Meraki’s intuitive dashboard to enhance your network’s security posture — all without breaking a sweat!
