Meraki

Community

VMX for CGNAT traversal

Solved
LontzroV
Here to help
‎Nov 26 2021 9:05 AM
‎Nov 26 2021 9:05 AM

VMX for CGNAT traversal

Good day everyone. Our company is comprised of 4 sites, with the main site hosting most of the webfacing resources. The problem we have is that there is only one ISP who offers wired internet (rural setting); that being our primary uplink. Our backup internet currently consits of an MR modem uplinking to the cellular network, although we are also considering Starlink. However, both of those solutions are are problematic for us due to their implementation of CGNAT. Looking for a way around this issue I came across vMX.

 

I picture incorporating the vMX in our VPN infrastucture as a hub and then have the hostname of our main site resolve to the vMX public IP. From there I would add the main-site MX as a spoke to the vMX hub.

 

Is the above outlined setup realistic? How could traffic be addressed to local servers on our main site if their subnet is not configured on the vMX? Can vMX be used for this purpose or am I way off? Any feedback or input appreciated!

Labels:
0 Kudos
1 Accepted Solution
MilesMeraki
Head in the Cloud
‎Nov 26 2021 11:38 AM
‎Nov 26 2021 11:38 AM

So.. What you're trying to say is that you're looking at relocating your public web infrastructure to a public cloud and implementing a vMX in the design to act as the firewall and VPN hub to other MX's for that env?

 

This shouldn't be an issue. Personally, I wouldn't route your DNS records for your web infra at the vMX i'd look at implementing a WAF service in front of your web servers and then pointing the DNS at a Load balancing service.

 

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

View solution in original post

0 Kudos
3 Replies 3
MilesMeraki
Head in the Cloud
‎Nov 26 2021 11:38 AM
‎Nov 26 2021 11:38 AM

So.. What you're trying to say is that you're looking at relocating your public web infrastructure to a public cloud and implementing a vMX in the design to act as the firewall and VPN hub to other MX's for that env?

 

This shouldn't be an issue. Personally, I wouldn't route your DNS records for your web infra at the vMX i'd look at implementing a WAF service in front of your web servers and then pointing the DNS at a Load balancing service.

 

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 27 2021 2:30 PM
‎Nov 27 2021 2:30 PM

I have done something similar with a group of sawmills (all rural).

 

They did have their main server at their HQ.  I relocated all of its functionality to Amazon AWS.  I deployed an MX to each site and a VMX into Amazon.  The sites used to have dual rural Internet providers.  Now we have one rural Internet provider and Starnet at each site.  Starnet works great, and we have now made the rural Internet provider links backup only (so they sit there doing nothing unless Starlink fails).

 

Works great.

0 Kudos
In response to PhilipDAth
LontzroV
Here to help
‎Nov 29 2021 11:35 AM
‎Nov 29 2021 11:35 AM

Thanks for sharing your experience, that might be something for us to consider for the long run.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.