Hello all! First post here but I've been trying to read as many of the posts as I can. I love the idea of the community! We are just starting to venture into the Meraki world so I believe this will be a great source for information.
I was hoping someone might be able to help me figure out if I'm able to achieve a certain scenario with the equipment I have.
Normally we have a branch with an MPLS connection and all traffic flows though that route. We have an internet connection at a separate site within the MPLS that they would be routed out from the MPLS network for internet access.
We are looking to change that up. We want to utilize a coax internet connection locally at the branch and route internet traffic out through that connection instead of though the MPLS to the shared internet connection at the other site.
We have purchased an MX64 and an MS250 for the branch.
So the setup would be similar to what is described here I would guess. (https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS). Only rather than just site A and B we have multiple sites within the MPLS.
What I'm trying to figure out is if there is a better way to handle routing through the MPLS other than defining all the sites connected to the MPLS with a static route. We have 12 other subnets over the MPLS. Our subnets for the sites are under a 192.168.0.0/16. Would I be able to just create the static route of the subetnet 192.168.0.0/16 and point the next hop to the MPLS router? It should be able to handle the routing from there, then internet traffic should still go out the local internet connection yes? If the local internet connection went down would it route all traffic over the MPLS? So that way the branch would still have access to the internet if their local coax connection went down for some reason?
Hopefully that make sense, and thanks in advance for anyone who made it to the end of this post. Cheers!
Solved! Go to solution.
Yes, you can just create a supernet route for 192.168.0.0/16 to point to the MPLS router at HQ, just as you have indicated. The MPLS router would need a route pointing to the MX at HQ for MX connected sites as well.
I personally prefer this approach:
https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS
In this scenario, you use AutoVPN over both MPLS and Internet. In this case, every site needs an MX. In this scenario, your MPLS network only has stub networks connecting to each each at each site, and no longer has any knowledge of your networking (it only sees encrypted traffic). In this scenario there are no statics, and failover is completely automatic. It can also detect failures within the MPLS service provider network, as opposed to just local connectivity issues.
Yes, you can just create a supernet route for 192.168.0.0/16 to point to the MPLS router at HQ, just as you have indicated. The MPLS router would need a route pointing to the MX at HQ for MX connected sites as well.
I personally prefer this approach:
https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS
In this scenario, you use AutoVPN over both MPLS and Internet. In this case, every site needs an MX. In this scenario, your MPLS network only has stub networks connecting to each each at each site, and no longer has any knowledge of your networking (it only sees encrypted traffic). In this scenario there are no statics, and failover is completely automatic. It can also detect failures within the MPLS service provider network, as opposed to just local connectivity issues.
Thanks! Yeah I saw that scenario on the Meraki site as well. Downfall is at this point we don't have another MX appliance. Hopefully we can fix that soon. So far the Merkai equipment we're moving towards is working out great so shouldn't be a hard sell!
We're currently in the process towards an anyvpn using MX at remote sites and a MX at head office.
This is working successfully but we did have the challenges you described as we historically have mpls too so the process involves settings up static routes from the mpls side to the head office MX to route the traffic back.
Meraki anyvpn is definately the future! great solution