Auto VPN over L2 Point to MultiPoint WAN with failover to LTE

DPS
Just browsing

Auto VPN over L2 Point to MultiPoint WAN with failover to LTE

Hello experts,

 

We have a customer looking to implement the following scenario:

 

1. Hub site is a datacentre with Internet and L2 ethernet multipoint WAN termination point (The point in the PMP WAN).

2. Multiple branches each with L2 ethernet spoke termination (the multipoints in the PMP WAN). No internet available at branches, only cellular LTE for failover.

3. Requirement for customer to get an alert from MX if WAN service goes down at any site and switches over to LTE.

 

I thought this will not be an issue as I could simply use one of LAN port in each MX to set up the preferred routed access for the branch to Hub connectivity and LTE modem could be leveraged for Meraki cloud access to have management access and orchestration and that I can set up LTE port as backup with VPN tunnel thru it to datacenter MX and this backup VPN path will have higher cost.

 

However this approach with WAN circuit connected to the LAN port of MX, does not permit (like MS switches) to report a LAN port going down and it can only alert on the MX WAN ports.

 

While I can terminate the WAN circuit to Primary Internet port of MX and then Cellular modem (ethernet) to second Internet port (or even cellular USB stick for backup). With NAT thru the Internet port, I will need to set up VPN tunnels over the WAN cloud to mitigate the effects of NAT. Not sure though if this approach will allow using LTE backup service to establish the management access to the cloud needed to establish VPN tunnels. Or maybe, MX at branches can route to the peer at the datacenter (all of them being in the same private /27 subnet) and leverage Internet access from the datacenter MX hub to establish the tunnels.

 

I will love to hear good advice on this from folks who would have done these kind of non standard setups.

 

Thanks and everyone be safe and healthy.

 

5 REPLIES 5
PhilipDAth
Kind of a big deal
Kind of a big deal

You could consider using NO-NAT mode on the WAN port that would connect to the L2 circuit (you will need to open a ticket with support to enable this option in the dashboard).

 

HOWEVER, you'll need the L2 network to connect to the Internet somehow to allow cloud communication.

 

 

Thank you Philip. I was not aware that there is option of non-NAT and that will essentially solve the issue here. Hopefully this will become a GUI feature soon. I guess this converts a WAN port into LAN port and then I could route anywhere thru that port. Hopefully doing so, will still keep the alerts options available for the WAN port on which NAT has been turned off. As I explained, all I was looking for the box to route (just like a simple Cisco router can be used), but unlike MS, the MX does not allow monitoring and the sending alerts to the admins if I use the LAN port.

 

I will talk to my meraki SE also, as customer has not signed off the hardware yet until we confirm. There are believe close to 20 MXs in the mix for this project and I was leaning towards using a small Cisco ISR that will do all this and more, but simplicity and less chance of human errors with VPN tunnels creation when customer is adding more sites, was the reason we were recommending  MX.

 

Appreciate again and I will talk to Meraki sales engineer on Monday and then come back to mark it as the answer.

PhilipDAth
Kind of a big deal
Kind of a big deal

>Hopefully this will become a GUI feature soon.

 

When support enable the option you configure it via the GUI.

 

 

If it was me, I would put an MX at each site and run AutoVPN over the L2 WAN.

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS 

Thanks again Philip. I meant to say that hopefully they will enable it in the GUI so that it becomes a standard feature and not have to call into support. By the way, I will love to have access to the CLI if they will ever make it available :).

 

I did read that this feature was a beta for last two years and that firmware is no longer available. I will assume that means this feature has been incorporated for support to turn on in the current firmware and that way, it becomes fully supported, but not made available in the GUI until we call into support.

Yes, we will have MX at each end and run Auto VPN, but my only issue was that if I use LAN port to terminate the MPLS ( in my case it is Metro Ethernet L2), then if circuit goes down at any site, MX does not fire alert. MX only alerts you via email if circuit is connected on WAN port. Hence I was not sure, but you have clarified that I can convert WAN into LAN port by asking support to allow NO-NAT feature.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels