Hello, we are planning to connect 3 sites with L2 MPLS with the MX-100 at the wan edge. The 3 MX's will have private IPs assigned to them and on the same subnet connected via their WAN1 port. My question is will I be able to configure Auto VPN over the L2 MPLS in this setup with private IP addresses on the WAN1 ports?
The Headend HQ will have one of it's LAN ports converted to a WAN port for dashboard connectivity. The Headend MX will have a default route through the distribution and will inject a default route to the other MX's. Has anyone done this before?
@cmr , I think you’re the ideal candidate to answer this one giving how it’s working like this across your sites
@Sleimanas @UCcert said we run a setup similar to this, we actually have two private WANs at each site with one of the WAN ports on a VPLS (L2 MPLS) WAN and the other either on a second VPLS or a routed MPLS. None of the VPLS or MPLS WANs has internet breakout and that is provided to all sites from the datacenter. The VPLS WANs have a single class C subnet as you are wanting to do with 3 IP addresses at each site (HA pair). For us the datacenter actually has a routed switch stack on the WAN edge and the MX pair there are in single armed concentrator mode. We use a different vendor's firewalls for the corporate internet breakout. This has worked well for over a year and as all WAN IP addresses for all MXs appear as the same public IP (the main datacenter corporate firewall external IP), the Auto-VPN builds multiple routes across the private WANs and load-balances between them nicely.
@Sleiman If you use Auto-VPN over the L2 WAN then it connects prior to NAT so the LAN IPs from one site are seen at the other site. In terms of the WAN IP shown in the dashboard, they all show the central site corporate internet connection IP.
This may well be different if you have one WAN on public internet and one WAN on private WAN.
If you don't full tunnel over the auto-VPN then yes the WAN port IP from the site is how the traffic appears to the corporate firewalls, you can disable NAT on the WAN port in MX15 to fix this.
This worked fine for us. We had to give the MXs internet access over the WAN1 interface for them to establish the VPN tunnel, and we had create a transit LAN for the MX to reach the LAN subnets.