Best Config for new point to point branch to head office link

Marsrock2021
Getting noticed

Best Config for new point to point branch to head office link

We currently have 2 x 1gb Internet links with site to site configured on mx250s and its working fine. 

 

We are to get a new point to point branch to head office link which I assume connects as layer 2 to one of our mx250.

 

The question is do I leave the site to site vpn in place as a backup? If so what's best way to configure fail over to s to s if p to p is down. 

 

Will I need to block or allow vlans over p to p or will it just pass the complete layer 2 network. 

 

Any issues with having s to s and p to p together from a routing perspective. 

 

If both Internet circuits are down will or can Internet traffic go over p to p. 

 

Anything I need to configure to ensure Internet traffic doesn't start routing over p to p whem both Internet circuits are available 

 

Thanks

 

 

2 REPLIES 2
Bruce
Kind of a big deal

This document shows the basics of how to use AutoVPN as a backup to an MPLS link, which is the basis of what you are trying to achieve, https://documentation.meraki.com/MX/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN

The way I’d configure the MX is with the P2P on one of the LAN ports, as an access port in its own VLAN so it essentially becomes a Layer 3 link. Then configure a static route to the subnets at the other site with ‘while next hop responds to ping’ (or ‘while a host responds to ping’ if you prefer) pointing across the link. The Static route will have preference over any VPN routes so the traffic will go over the P2P link.

 

If the link fails then the Static route will drop out of the routing table and the VPN route will become active, sending the traffic back over the VPN link.

 

You won’t be able to use the point to point link for Internet traffic as you can’t set a default in the event that the Internet fails, that’s not the way the MXs work. As such you should never end up in the situation where internet traffic goes across the P2P link, unless you purposely put in a default route to do that (which means nothing will ever go out the internet links, except traffic to the Meraki cloud).

 

Hope this provides some guidance.

KarstenI
Kind of a big deal
Kind of a big deal

Just to add to what Bruce said: make sure you configure the Ping-checks on both ends. Both sides must use the p2p link *or* the s2s-vpn. Otherwise you get asymetric routing and the traffic will be dropped.

Another possibility: If your internal switches support these connectivity-checks or a dynamic routing-protocol *and* you don't need any filtering between the sites, then you can terminate the L2-link on an internal switch.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels