Design for AutoVPN

SOLVED
Jeizzen
Getting noticed

Design for AutoVPN

Hi everyone,

 

Have to merge 1 main and 2 remote sites that are on MPLS and Watchguard to Meraki + ISP internet.

 

But customer wants to keep the main Watchguard firewall at HQ and wants all Internet traffic from all sites go through it.

 

Here is what I started :

 

Jeizzen_1-1666633666949.png

 

 

At first, only HQ (hub) and remote site 1 will be on Meraki, remote site 2 will still be on Watchguard and MPLS for sometime.

 

So, fulltunneling Internet traffic from remote site 1, and then telling MX84 at HQ to send all that Internet traffic into customer's Watchguard

MX84 : static route 0.0.0.0/0 on Lan cable pointing to Watchguard

+ other static routes to reach HQ's LAN and remote site 2 that is still on MPLS and Watchguard

 

Would there be any issue with MX84 at HQ being connected to its Internet 1 and 2, AND also having that 0.0.0.0/0 route pointing to customer's Watchguard.

 

I guess this way, even the MX84 Meraki cloud communications would go through the Watchguard ; so Internet 1 and 2 would only be used for AutoVPN ?

 

Maybe I don't see it the right way

 

Passthrough between Watchguard and LAN ?

Maybe VPN concentrator one-arm like in a DC (not even touching LAN at HQ) ?

 

 

thanks,

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

>In Concentrator mode, no routes possible I think

 

In Concentrator mode, all traffic is routed to the default gateway (the Watchguard in this case).  You then have that route it to wherever it needs to go - MPLS otr watever,

View solution in original post

8 REPLIES 8
alemabrahao
Kind of a big deal
Kind of a big deal

Well, I don't know if It is the best option, but you can create a Source-based default route.

 

LAN source based default route - The next hop of a LAN source-based default route is on the LAN side of the MX security appliance. The next-hop IP is known to the security appliance on the LAN side either by a VLAN or a static route. 

 

https://documentation.meraki.com/MX/Networks_and_Routing/Source_Based_Default_Routing

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Note: the keyword default route, means that a source-based default route, will not force all traffic to a configured next hop. It will only forward traffic for destinations that are unknown in its routing table.

Note: This option cannot be configured if utilizing a single VLAN

Use Case

A simple use case is segmentation. With Source-based default routing, a default route per VLAN can be configured, (for example, Guest VLAN) with a next-hop as another MX security appliance over Meraki AutoVPN or a gateway device on the LAN.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

MX84 Meraki cloud communications would go through the Watchguard ; so Internet 1 and 2 would only be used for AutoVPN ?

 

Nope, The MX will use the WAN interfaces to communicate with Meraki Cloud.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

I will share supplemental information.

 

The documentation does not indicate that management communication is always through Uplink.
However, as far as I have previously verified, when uplink is down, management communication is lost.

 

MX Routing Behavior - Cisco Meraki
https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior#Behavior_of_Management_...

ref. Behavior of Management Traffic

 

> The following services/tools will specifically adhere to the route priority and not necessarily ingress or egress the primary WAN/Internet uplink:
>
> Advanced Malware Protection registration
> Meraki Cloud Authentication
> Meraki Cloud Communication on TCP ports 80,443 and 7734
> Ping and Dashboard Throughput Live Tools
> List Updates for the following services: Content Filtering, IDS/IPS Rule Updates and Geo-IP Lists for Layer 7 Country-Based Firewall rules

I know that the documentation does not indicate that management communication is always through Uplink.

 

But if we think about the logic of the other firewalls, we have outgoing (Internet) and incoming (LAN) traffic. In the case of MX, WAN interfaces are used for outgoing traffic. 😉

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

What you need to do is run the MX at HQ in VPN concentrator mode behind the WatchGuard.  All traffic will go out through the Watchguard without you having to do anything special.

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide 

 

And then as already mentioned by @alemabrahao , run the spokes in full tunnel mode back to that concentrator.

Thanks for your comments

 

@PhilipDAth, I'm wondering how to make it work while remote site 2 will still be on mpls/watchguard for sometime

 

HQ and remote site 1, ok, they will be on AutoVPN

However, I see a need for routes in MX/Watchguard for remote site 1 to reach HQ's LAN and also reach remote site 2 over MPLS, and vice-versa.

 

In Concentrator mode, no routes possible I think

 

Also, would you put it inline between LAN and Watchguard (more of a Passthrough designation ?), or in one-armed

 

And I'm not sure I get the configuration difference between passsthrough and vpn concentrator, since we chose the same option in Addressing and VLANs. 

I don't think there's a place to chose between Passthrough or VPN concentrator

 

Is the difference actually based on the way we insert it / use it in the design

PhilipDAth
Kind of a big deal
Kind of a big deal

>In Concentrator mode, no routes possible I think

 

In Concentrator mode, all traffic is routed to the default gateway (the Watchguard in this case).  You then have that route it to wherever it needs to go - MPLS otr watever,

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels