Hi! I'm going to be installing some Meraki MX appliance to use for failover in the event that an MPLS connection dies.
I've got a few sites right now that all connect back to a data center over MPLS. I am sticking an MX100 at the data center to act strictly as a termination point for autovpn tunnels. The sites will have either MX84's or MX65's.
Since we have MPLS, I know there are a couple of different options (one which is running site to site VPN over the MPLS tunnel, the other being autoVPN failover with MPLS)
At this time, I'm ruling out the site to site VPN over MPLS, we use Cisco WAAS and believe that building meraki VPN tunnels over the MPLS network would negate the WAN optimization that WAAS provides.
So that leaves me with AutoVPN failover with MPLS.
In looking at the documentation, it appears that the MPLS network will be connected to the LAN interface of the MX appliance. Am I correct in assuming that the Meraki MX needs to sit INLINE between my MPLS router and switch? That's the only way I see it working since it appears that the Meraki MX is deciding which interface to push the traffic out of.
I'm not super excited about having the MX inline on my MPLS network, as if I lose the Meraki for some reason (even if the MPLS is up) then I am dead in the water because it doesn't appear that the Meraki LAN ports will pass traffic if the Meraki is down/powered off.
Which brings me to my next question. Instead of having the Meraki inline on my MPLS network, could I have the MX LAN interface plugged in to the network (but not inline) would it be possible to create static routes on my core switch that would route to the LAN interface on the Meraki in the event that the remote network was unreachable over MPLS? That would give me the ability to still failover to the Meraki VPN tunnel in the event of MPLS failover, but wouldn't cause a larger outage if for some reason the Meraki went down.
I am not a network admin by trade so any thoughts would be greatly appreciated!
Thanks for the suggestions/help!
I assume you're on about using a floating static route with a lower AD than the dynamic routing protocol that you're using to communicate routes from your MPLS to your core switch? I don't see how this wouldn't be a viable solution.
You could also look at putting the MX's in an HA arrangement if you're that worried about one dying.
"Instead of having the Meraki inline on my MPLS network, could I have the MX LAN interface plugged in to the network (but not inline) would it be possible to create static routes on my core switch that would route to the LAN interface on the Meraki in the event that the remote network was unreachable over MPLS? "
You could do this, but I would not recommend it. It would destroy the client tracking and prevent most security features from working. This is because traffic would leave the site via the MX because it is the default gateway, but would return to the client directly since the WAN circuit was in the same VLAN.
You want a point to point circuit (via a LAN port) to your WAN circuit. If you are worried about a single point of failure - use two MX units and create a warm spare configuration. This guide talks about the config you are interested in:
WARNING WARNING WARNING: The MX needs to talk to the Internet via a WAN port as it is cloud controlled. So you will need an Internet circuit at each site plugged into the MX using this approach.