Meraki

Community

Dual "Datacenter" with Metro-E in the mix

Warvold
New here
‎Apr 28 2025 7:05 PM
‎Apr 28 2025 7:05 PM

Dual "Datacenter" with Metro-E in the mix

I've really been having a tough time getting the design right for this project and could use some help.

 

We have a headquarters with an HA pair of MX105, and an HA pair of Palo Alto Firewalls, and 2 Internet providers.  There are 4 local private subnets.

 

We have a remote Data Center with another AH pair of MX105, an HA pair of Palo Alto Firewalls, and one Internet from the DC.  There are 2 local private subnets.

 

We have 5 branch offices each with a MX75 and 1 (sometimes 2) Internet providers.  Each branch has 2-3 local subnets.

 

There is a Metro-E layer2 connection connecting all sites.

 

The goal is to have all internal traffic flow across the Metro-E when available, and via the AutoVPN connections when it is down.  We want all user Internet traffic to flow through the Palo Alto at HQ, and fail over to the Data Center if HQ loses both ISP.  No user Internet traffic should ever directly exit the Meraki, only through the Palo Altos.

 

My original design had WAN1 at each location connected to the ISP, and WAN2 connected to the Metro-E.  The Metro-E WAN interfaces had a default gateway pointing to the Palo Alto for Internet access.  This works, except that I can't figure out how to have the Data Center MX105 have a 0.0.0.0/0 route pointing to the local DC firewalls for the purpose of being the backup internet connections should HQ fail.  As soon as I add a 0.0.0.0/0 route the Data Center can no longer reach the HQ private subnets because the static route takes precedent over the AutoVPN routes, so I get a routing loop between the MX and the local firewalls.

 

If I have the MX105 learn the 0.0.0.0/0 route via BGP from the firewalls the MX105 start sending the Internet traffic directly out its own WAN interface because the external BGP route is lower priority.

 

I was starting to look at converting the HQ and DC MX105s to be one-arm concentrators (as has been suggested since I don't want any Internet traffic exiting them directly) but I can't figure out how to have the primary path between sites be the Metro-E and only use AutoVPN as a backup.  One-arm concentrators only have one default route.

 

I don't feel like the overall goal is asking all that much, but I can't seem to find a design that ticks all the boxes.  Any insights would be greatly appreciated!

 

 

Labels:
0 Kudos
3 Replies 3
thaack
Getting noticed
‎Apr 29 2025 6:06 AM
‎Apr 29 2025 6:06 AM

Your situation is a bit more complex, but have you seen to following documentation? It could be of use.

 

MPLS Failover to Meraki Auto VPN - Cisco Meraki Documentation

0 Kudos
In response to thaack
Warvold
New here
‎Apr 29 2025 8:07 AM
‎Apr 29 2025 8:07 AM

That covers everything except how the Internet is routed.  Do I turn off NAT at HQ and the Data Center and create a firewall rule in the Meraki to permit all inbound traffic so that the Palo Alto firewalls are doing the real work?  Then create an inbound route on the Palo Alto for the internal subnets pointing to the WAN interface of the Meraki?

0 Kudos
alemabrahao
Kind of a big deal
‎Apr 29 2025 9:32 AM
‎Apr 29 2025 9:32 AM

I suggest you work with a Meraki network engineer to help you work out the best scenario.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.