(2) HA MX84s with dual WAN - Ability to add MPLS for VoIP in to the mix?

Solved
WDW
Here to help

(2) HA MX84s with dual WAN - Ability to add MPLS for VoIP in to the mix?

First - please forgive any Meraki specific terms I don't use correctly here.  I do much more work with security appliances from another vendor.

 

I have a location where we have (2) Meraki MX84 series security appliances.  These are in an HA configuration, so that if the primary device dies - functionality fails over to the standby device.  In addition both MX84s have connectivity to (2) internet connections, so both WAN (internet) ports are already is use.  These are also configured for fail over etc.

 

We are wanting to add some dedicated MPLS connectivity to our VoIP provider.  Is there any way for me to do that with only the MX84s that are currently in place?  I'm not seeing a clear way to do this in the UI, but because of my level of expertise with the Meraki platform, I wanted to make sure I was not missing something before I add / upgrade equipment etc.

 

Thanks in advance for your help.

1 Accepted Solution
GreenMan
Meraki Employee
Meraki Employee

You should be able to place your MPLS link in a new VLAN, with your VoIP clients remaining in a different, pre-existing VLAN and use Firewall rules to limit access to the MPLS link.   The extra hop means you will need to add some routing to the MPLS CPE to ensure it can reach the devices in your Voice VLAN, via the MX

View solution in original post

7 Replies 7
Adam
Kind of a big deal

Would the MPLS be more of a LAN style connection for just specific traffic to a certain destination or does it need to be full internet?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
WDW
Here to help

Thanks for the good clarifying question.  The new MPLS link would be used exclusively for VoIP traffic.  We are working out the specifics with VoIP provider and connectivity vendor.  However, at this time my expectation is that we could define a destination private address block that we would route to the connectivity provider device gateway.

GreenMan
Meraki Employee
Meraki Employee

This is certainly achievable, WDW - you'd connect your MPLS service via a LAN port, assign the port to a relevant VLAN + subnet and apply an appropriate static route or routes.    The basics of such a setup are covered in this document (though the premise of it is rather more sophisticated than that which you describe):   https://documentation.meraki.com/MX-Z/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN

Hope this helps...

WDW
Here to help

GreenMan - Thanks for taking time to engage with me on this. 

 

I'm not comfortable putting this MPLS connection directly on my voice vlan.  I want to keep the ability to put rules in place that limit what traffic comes back and forth to this provider over this MPLS connection.  I don't think the approach you are suggesting would allow for this.  Am I correct, or am I missing something?  Thanks again for your feedback.

GreenMan
Meraki Employee
Meraki Employee

You should be able to place your MPLS link in a new VLAN, with your VoIP clients remaining in a different, pre-existing VLAN and use Firewall rules to limit access to the MPLS link.   The extra hop means you will need to add some routing to the MPLS CPE to ensure it can reach the devices in your Voice VLAN, via the MX

WDW
Here to help

GreenMan - Ahh - that approach sounds great.  I'll review this further - but I think that will help solve this.  Thanks!

Adam
Kind of a big deal

@GreenMan was on exactly the same track I was thinking.  Glad to hear you found a solution @WDW

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels