Failover E-LAN to Auto-VPN

Sarv
Getting noticed

Failover E-LAN to Auto-VPN

We have a requirement to failover from E-lan service to Meraki auto-vpn in case E-lan connectivity is lost. The following is the scenario:

 

3 sites using a e-lan through a provider (using layer3 over E-lan). Each site will also have internet egress, all sites will have Meraki MX (different MX models based on size/bw/etc) and would like to use site-to-site VPN (auto-vpn) between the 3 sites in case e-lan connectivity is lost at any given site (or all sites). The requirement would also be that the failover is automatic. T

 

I read the following deployment guide:  https://documentation.meraki.com/MX/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN

 

Would this work for our requirement as well? I do not see any real difference besides the service (MPLS) being used in the deployment guide example. 

 

Thanks


Sarvjit

 

5 REPLIES 5
ww
Kind of a big deal
Kind of a big deal

It uses route tracking.  So it should work regardless of the carrier, as long its connected on the mx lan side

 

https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior#Static_Route_Tracking

GIdenJoe
Kind of a big deal
Kind of a big deal

You have two ways to go about this.  The best way is to have MPLS or your WAN solution in front of the MX is primary WAN and an internet circuit as second WAN.  The considerations you need to make here is that both WAN's need an internet breakout so you can reach Meraki's VPN registries to report private and public WAN IP's and ports and that your traffic will be tunneled over the WAN circuit encrypted.  This solution is best because you can truly use SD-WAN and have very quick failover.

The other way is when you can't have tunneling or an internet breakout and that is when you connect your WAN on a LAN ports of the MX and use static routing to other sites.  However you will need a provider private IP address you can continually ping and that does not appear in any of your own subnets so you can explicity point a /32 static route towards it.  Then you can make static routes towards other sites via the E-WAN solution but that are dependent of the success of the ping towards that provider IP.  If that starts to fail you will use the autoVPN route instead.

Sarv
Getting noticed

Thanks. I will give the 2nd part of your solution a try. They will not have an internet breakout so both circuits connected to WAN ports will not be an option. Thanks again.

cmr
Kind of a big deal
Kind of a big deal

We run a similar setup and have the MXs at the core site in single arm VPN concentrator mode.  The MPLS terminates on the WAN ports of the MXs at the other sites with the core using a L3 switch.  There is a separate internet firewall at the core.  All works well 😎

Sarv
Getting noticed

Thanks. I was hoping to avoid purchasing additional HW (Firewall) as each site would also need a FW. I knew about the single-arm VPN concentrator mode as this was the only solution available from Meraki prior to the ability of using static routes and active while next hop responds to pings. The client wont spring for additional HW.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels