Can you use a MX64 to route between an internet connection and MPLS for a branch?

Solved
Nolan
Getting noticed

Can you use a MX64 to route between an internet connection and MPLS for a branch?

Hello all! First post here but I've been trying to read as many of the posts as I can. I love the idea of the community! We are just starting to venture into the Meraki world so I believe this will be a great source for information.

 

I was hoping someone might be able to help me figure out if I'm able to achieve a certain scenario with the equipment I have.

 

Normally we have a branch with an MPLS connection and all traffic flows though that route. We have an internet connection at a separate site within the MPLS that they would be routed out from the MPLS network for internet access.

 

We are looking to change that up. We want to utilize a coax internet connection locally at the branch and route internet traffic out through that connection instead of though the MPLS to the shared internet connection at the other site. 

 

We have purchased an MX64 and an MS250 for the branch.

 

So the setup would be similar to what is described here I would guess. (https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS). Only rather than just site A and B we have multiple sites within the MPLS.

 

What I'm trying to figure out is if there is a better way to handle routing through the MPLS other than defining all the sites connected to the MPLS with a static route. We have 12 other subnets over the MPLS. Our subnets for the sites are under a 192.168.0.0/16. Would I be able to just create the static route of the subetnet 192.168.0.0/16 and point the next hop to the MPLS router? It should be able to handle the routing from there, then internet traffic should still go out the local internet connection yes? If the local internet connection went down would it route all traffic over the MPLS? So that way the branch would still have access to the internet if their local coax connection went down for some reason?

 

Hopefully that make sense, and thanks in advance for anyone who made it to the end of this post. Cheers!

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

Yes, you can just create a supernet route for 192.168.0.0/16 to point to the MPLS router at HQ, just as you have indicated.  The MPLS router would need a route pointing to the MX at HQ for MX connected sites as well.

 

I personally prefer this approach:

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS

In this scenario, you use AutoVPN over both MPLS and Internet.  In this case, every site needs an MX.  In this scenario, your MPLS network only has stub networks connecting to each each at each site, and no longer has any knowledge of your networking (it only sees encrypted traffic).  In this scenario there are no statics, and failover is completely automatic.  It can also detect failures within the MPLS service provider network, as opposed to just local connectivity issues.

View solution in original post

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal

Yes, you can just create a supernet route for 192.168.0.0/16 to point to the MPLS router at HQ, just as you have indicated.  The MPLS router would need a route pointing to the MX at HQ for MX connected sites as well.

 

I personally prefer this approach:

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS

In this scenario, you use AutoVPN over both MPLS and Internet.  In this case, every site needs an MX.  In this scenario, your MPLS network only has stub networks connecting to each each at each site, and no longer has any knowledge of your networking (it only sees encrypted traffic).  In this scenario there are no statics, and failover is completely automatic.  It can also detect failures within the MPLS service provider network, as opposed to just local connectivity issues.

Nolan
Getting noticed

Thanks! Yeah I saw that scenario on the Meraki site as well. Downfall is at this point we don't have another MX appliance. Hopefully we can fix that soon. So far the Merkai equipment we're moving towards is working out great so shouldn't be a hard sell!

MarkNaylor
Conversationalist

We're currently in the process towards an anyvpn using MX at remote sites and a MX at head office.

This is working successfully but we did have the challenges you described as we historically have mpls too so the process involves settings up static routes from the mpls side to the head office MX to route the traffic back.

 

Meraki anyvpn is definately the future! great solution

Nolan
Getting noticed

Yea we have now added a MX at our data center and have one branch setup just using the meraki autovpn and a low cost coax internet connection.

We are in the process of converting our MPLS network over to a layer 2 solution from AT&T. We are going to be testing one branch to use the AT&T connection as the primary link and then a low cost internet connection as a secondary connection to use the meraki autovpn.
Get notified when there are additional replies to this discussion.