Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

2 WAN Connection - 1 MPLS, 1 INTERNET

Roy-Ebol
Conversationalist
‎Jun 28 2021 8:48 PM
‎Jun 28 2021 8:48 PM

2 WAN Connection - 1 MPLS, 1 INTERNET

Hi All,

 

Just like to ask if anyone had experience configuring 2 WAN connections on MX Series, Primary Link is MPLS and Secondary Link is Internet? Is this advisable or both link should be Internet?

 

Thanks

0 Kudos
Subscribe
3 Replies 3
Bruce
Kind of a big deal
‎Jun 28 2021 9:37 PM
‎Jun 28 2021 9:37 PM

It will only work if the MPLS network has a gateway to the internet.

 

This could be achieved, for example, through a service provider provided firewall in the MPLS network that NATs to the internet, or through say a data centre where the MPLS network can connect to the internet (if you're using AutoVPN/SD-WAN the MX hub at the data centre would need to be in VPN concentrator mode).

 

EDIT: there are a lot of good examples on MPLS integration with the Meraki MX in the Meraki documentation, this one is specifically for connecting to WAN interfaces and using AutoVPN, https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS 

Subscribe
Inderdeep
Kind of a big deal
Kind of a big deal
‎Jun 29 2021 6:49 AM
‎Jun 29 2021 6:49 AM

@Roy-Ebol : It depends,  MPLS provides a clean and secure connection that is especially desirable for certain types of data, applications, and transactions—especially where a high degree of integrity and privacy is required. I would not recommend internet as it has high latency and delay

 

Internet is less preferred choice for voice and video communication since packet delivery is on best effort basis with no QOS to support low latency.

 

Since there is no mechanism to secure customer traffic over Internet, VPN need to be run over Internet to encrypt traffic in order to perform communication across customer location securely.

 

So I would say, take 1 MPLS and 1 Internet circuit as Primary and Secondary accordingly.

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
Subscribe
GreenMan
Meraki Employee
Meraki Employee
‎Jun 29 2021 7:55 AM
‎Jun 29 2021 7:55 AM

Remember also;  the MX is, by default, a firewall.  If traffic is deemed to be 'outside VPN'  (e.g. if a local VLAN is set to 'VPN off'') then it will be NAT'ed behind the IP address of the chosen WAN uplink, through which it egresses.

 

If that uplink is connected to the MPLS, you will need to bear this in mind, within the MPLS routing.   Moreover, if you wish some kind of server, on the LAN side of the MX, to be accessible, via an inbound request over the MPLS, you will have to set up port forwarding or an inbound NAT,  otherwise unsolicited inbound packets are, by default, dropped.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#Forwarding_rul...

 

Meraki has been working on a 'no-NAT' feature, but this is in beta, for the time being:   https://documentation.meraki.com/MX/Networks_and_Routing/NAT_Exceptions-No_NAT_on_MX_Security_Applia...

 

 

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.