cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Auto VPN over L2 MPLS

Highlighted
Here to help

Auto VPN over L2 MPLS

Hello, we are planning to connect 3 sites with L2 MPLS with the MX-100 at the wan edge. The 3 MX's will have private IPs assigned to them and on the same subnet connected via their WAN1 port. My question is will I be able to configure Auto VPN over the L2 MPLS in this setup with private IP addresses on the WAN1 ports? 

 

The Headend HQ will have one of it's LAN ports converted to a WAN port for dashboard connectivity. The Headend MX will have a default route through the distribution and will inject a default route to the other MX's. Has anyone done this before? 

 

Thanks. 

6 REPLIES 6
Highlighted
Head in the Cloud

Re: Auto VPN over L2 MPLS

@cmr , I think you’re the ideal candidate to answer this one giving how it’s working like this across your sites

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Highlighted
Kind of a big deal
Kind of a big deal

Re: Auto VPN over L2 MPLS

@Sleimanas @UCcert said we run a setup similar to this, we actually have two private WANs at each site with one of the WAN ports on a VPLS (L2 MPLS) WAN and the other either on a second VPLS or a routed MPLS.  None of the VPLS or MPLS WANs has internet breakout and that is provided to all sites from the datacenter.  The VPLS WANs have a single class C subnet as you are wanting to do with 3 IP addresses at each site (HA pair).  For us the datacenter actually has a routed switch stack on the WAN edge and the MX pair there are in single armed concentrator mode.  We use a different vendor's firewalls for the corporate internet breakout.  This has worked well for over a year and as all WAN IP addresses for all MXs appear as the same public IP (the main datacenter corporate firewall external IP), the Auto-VPN builds multiple routes across the private WANs and load-balances between them nicely.

Highlighted
Kind of a big deal
Highlighted
Here to help

Re: Auto VPN over L2 MPLS

Hi, thanks for the reply. So each site gets NAT'd to the WAN interface IP of the MX at the specific location? 

Highlighted
Kind of a big deal
Kind of a big deal

Re: Auto VPN over L2 MPLS

@Sleiman If you use Auto-VPN over the L2 WAN then it connects prior to NAT so the LAN IPs from one site are seen at the other site.  In terms of the WAN IP shown in the dashboard, they all show the central site corporate internet connection IP. 

 

This may well be different if you have one WAN on public internet and one WAN on private WAN.

 

If you don't full tunnel over the auto-VPN then yes the WAN port IP from the site is how the traffic appears to the corporate firewalls, you can disable NAT on the WAN port in MX15 to fix this.

Highlighted
Here to help

Re: Auto VPN over L2 MPLS

This worked fine for us. We had to give the MXs internet access over the WAN1 interface for them to establish the VPN tunnel, and we had create a transit LAN for the MX to reach the LAN subnets.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.