Can you have multiple Z3s behind a single Internet connection?

SOLVED
DanZ
Getting noticed

Can you have multiple Z3s behind a single Internet connection?

We have some Regus office space where we would like to install two separate Z3s.  The offices can not be covered by a single Z3.  We also don't have direct wiring between the offices.  Just a generic Internet port.  There is most likely a single public IP for NAT.  We don't control the local Internet at the site.

 

Can we have multiple Z3s behind a single Internet / Public IP?

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

@Dan  that will work fine.  When the Z3's talk out to wherever your VPN concentrator is they will punch unique ports in the NAT of the ISP router.  These unique ports will be used to send traffic from the VPN concentrator to each unique Z3.

 

This document describes how it works.

https://documentation.meraki.com/MX/Site-to-site_VPN/Automatic_NAT_Traversal_for_IPsec_Tunneling_bet...

View solution in original post

15 REPLIES 15
BrechtSchamp
Kind of a big deal

That shouldn't be an issue.

Brian_Krantz
Here to help

I would think it's possible.  You would need a switch unless the device providing the Internet has a switch on it to split the connection.  The only issue I would see is if you are doing VPN Mesh (which I assume you are),  It may not like two z3's coming from same dynamic IP address. you would have to test but it may cause issues from that standpoint. 

@Brian_Krantz I think this little snippet may help clear up your concern.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS#Cisco_Me...

 

Right at the end of the example:

 

 

cefa9e3e-d904-405f-8ad3-fc797d4720ec
In this example, the Dashboard knows that the two devices can’t form a VPN Tunnel through the same SRC IP address, so it will try the IP addresses of the Interfaces. The routing through the MPLS allows the MX devices to communicate using these Private IP addresses, and the tunnel is dynamically established.

 

DanZ
Getting noticed

That is helpful info but I don't think it applies to this case.  The Z3s in my case will only be connecting over the Internet to a head end MX64 in 1 armed concentration mode.  There is no second path over MPLS.

yeah in that case it is probably not possible.  You may have to talk to the ISP and get a Second Public.  They usually are fairly cheap around $10 a month depending on provider.

Still shouldn't be an issue imo. During the NATting, the ISP router behind which the Z's are will choose a different random source port to be used for both connections to the Meraki VPN registry. Meraki will then be able to allow the MX to connect to both Z's over a different port. That is if the ISP's router is a wellbehaving NAT device.

That is what I am hoping would work.  Just trying to see if anyone knows for sure.  I guess we could buy some Z3s and test it locally.

jdsilva
Kind of a big deal


@DanZ wrote:

That is helpful info but I don't think it applies to this case.  The Z3s in my case will only be connecting over the Internet to a head end MX64 in 1 armed concentration mode.  There is no second path over MPLS.


 

@DanZ You can ignore the MPLS stuff in the link I provided. The important part is that the VPN registry recognizes when two MXes have the same public IP, but different private IP's. When that situation occurs the private IP's are used to establish a tunnel.  


@jdsilva wrote:

@DanZ You can ignore the MPLS stuff in the link I provided. The important part is that the VPN registry recognizes when two MXes have the same public IP, but different private IP's. When that situation occurs the private IP's are used to establish a tunnel.  


That's only the case to establish tunnels between those two Z's though! For the tunnels towards the MX my previous post explains what happens (unless the MX is also behind the same IP which it isn't I think).


@BrechtSchamp wrote:

@jdsilva wrote:

@DanZ You can ignore the MPLS stuff in the link I provided. The important part is that the VPN registry recognizes when two MXes have the same public IP, but different private IP's. When that situation occurs the private IP's are used to establish a tunnel.  


That's only the case to establish tunnels between those two Z's though! For the tunnels towards the MX my previous post explains what happens (unless the MX is also behind the same IP which it isn't I think).


Correct. I was replying to the comment higher up 🙂

 

I added the quote to clarify. 

That is how I read the document as well. I am hoping you are right that it would work.

You are correct the MX would not be behind the same IP. That is back at our corporate data center. Only the Z3s would have the same public IP.

- MX 1 armed concentrator - data center - ISP #1 - Single Public IP
- Z3 #1 and Z3 #2 at Regus location. - ISP #2 - Single Public IP.

Another possibility is to try to get the Regus office to cross connect an MR22 AP from one office to the Z3 LAN port in another office. They might be able to patch that for us. That would solve the problem. I'm not sure if they will do custom wiring for us like that though.

Can you have an MR22 behind a Z3?
PhilipDAth
Kind of a big deal
Kind of a big deal

@Dan  that will work fine.  When the Z3's talk out to wherever your VPN concentrator is they will punch unique ports in the NAT of the ISP router.  These unique ports will be used to send traffic from the VPN concentrator to each unique Z3.

 

This document describes how it works.

https://documentation.meraki.com/MX/Site-to-site_VPN/Automatic_NAT_Traversal_for_IPsec_Tunneling_bet...

DanZ
Getting noticed

In my scenerio, the private IPs wont be able to communicate to each to establish a tunnel since there is not a private MPLS link.  In the example they are describing bringing a tunnel up using those private IPs:

 

"In this example, the Dashboard knows that the two devices can’t form a VPN Tunnel through the same SRC IP address, so it will try the IP addresses of the Interfaces. The routing through the MPLS allows the MX devices to communicate using these Private IP addresses, and the tunnel is dynamically established."

The device does have a switch.  The part I am worried about is the VPN where two Z3s are coming from the same public IP like you said.

Sounds like based on the link above it should not be an issue.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels