Connect customer to MSP before accessing Internet


Connect customer to MSP before accessing Internet

Hi guys!


I'm pretty new to SD-WAN and now we are implementing it to our customers. This is the scenario:


We as a MSP want to "take control" over our customers network and make sure that their trafic flows through us and a firewall and then out on the internet. This service would create better monitoring and control for us so we can provide more services to our customers like DHCP, DNS, AD and so on.


What is the best approach to do this? 


/ Alex

7 Replies 7
Kind of a big deal
Kind of a big deal

Do you mean take control of a customers network, in terms of taking control of their dashboard, or simply putting an MX between their any brand Firewall, and whatever ISP they may have, or?


Could you perhaps describe the scenario in a bit more detail?

LinkedIn :::

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

Sorry for being unclear.. But yes, I mean putting an MX at their network.


I would like to forward the trafic to us were we apply a firewall and then out on the internet. The goal is that we should have MX at all of the customers branches so that we can have fully control of that customers network.

Kind of a big deal
Kind of a big deal

In principle I suppose it could be doable, but I could see a few things that you'd might need to take into account. One of them is that you'd need to make sure your are not throttling whatever internet speeds the customer may be paying for.


There may also be some conciderations regarding to NAT, etc. in case the customer is exposing a server to the internet. You'd be introducing another NAT device in front of the customers own FW, and featurewise, the MX may be lacking, in comparison to, say a Cisco ASA. Thus the customer may be hit by some features being blocked by the MX, which is supported by an ASA.


I'd say you should plan out in detail what, how, and be able to argue for your setup, on providing MSP services to customers, if you plan on introducing a Meraki network between a customers networking edge, and the ISP router.

LinkedIn :::

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
Kind of a big deal
Kind of a big deal

@ww is right, full tunnel mode is the way to go.


BUT, you have missed the whole point of using SD-WAN - and that is of using local break out.  The whole point is to decentralise Internet access, to accelerate and improve the performance of web apps like video conferencing.  That is done through edge enforcement, not centralised enforcement.


You could still provide services like DNS, DHCP and AD if you like by just having an MX in your DC for each of your customers.

But wouldn't that require the DC MX to be added to the customer Meraki Organization, assuming that the Customer is using Meraki at all? Otherwise, you'd just have the customer configure a 3rd party VPN tunnel from their edge device to an MX in their MSP DC, and tunnel everything from there. That wouldn't be any different from any other MSP.


I understood it as if, OP would insert an MX between a customer managed company Edge device, and the local ISP, and from that MX provide services.

Albeit, it seems as a rather odd setup, and might just give more headaches than wished for.

LinkedIn :::

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

Thank you for all answers! It gave me a direction to look in. 
BUt, as im new to this, what is the best way to use SD-WAN in? How would you do?


The solution should be scalable as we will apply it on other customers in the future. 🙂  


Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.