Failover Routing To VPN

BrentWiebe
New here

Failover Routing To VPN

Working with a client and trying to come up with an automated failover mechanism for them.


Here's the scenario:

 

They have 3 local locations that are all interconnected over an MPLS through switches.  The MPLS network is 192.168.8.0/22.  One of their locations is a datacenter, and all of their server infrastructure is in the same 192.168.8.0/22 network.  The datacenter has a non-meraki cluster protecting it.

 

They have a number of remote locations that have VPN connectivity to the datacenter over this network.

 

One of their 3 locations is new and has a Meraki MX-100 cluster on it, and the MPLS is connected through port 8 on the cluster.  

 

In the event of a Port8/MPLS failure (unlikely as it may be), they are looking for a possible Automated-Failover.  From what I've seen/tried, this doesn't appear to be possible, as the Meraki seems to choke on the fact that the 192.168.8.0/22 network exists on a wired link.  If I try and add a VPN to the existing VPN route to 192.168.8.0/22, it complains because the network is already defined on a port. 

 

On other devices, that I've had similar scenarios on, I can manage this by controlling route metrics/distance and they don't care if the route exists with multiple configurations.

 

Is there a way to do this with the setup as it is today?  I had thought about possibly using NAT for the VPN route, but that would require some level of redo on all of the existing VPN connectivity today.

 

Any other thoughts?  Anything I haven't considered?

 

As it stands today, I can only see this being a manual process:

 

1) Delete route/disconnect cable.

2) Enable VPN.

3) Reverse when MPLS available again.

 

Thanks!

9 REPLIES 9
jdsilva
Kind of a big deal

I looked at this earlier, but don't believe it will work. The biggest issue is that the route 192.168.8.0/22 can't exist twice on the Meraki cluster. It doesn't allow it. In the example they give, the scenario is a bit different,
jdsilva
Kind of a big deal

I've never tried it, but you might be able to trick it. If you were to add two routes, 192.168.8.0/23 and 192.168.10.0/23, instead of your single /22 you'll get the same routing behavior, but have "different" routes. 

jdsilva
Kind of a big deal

There's also this fun topology...  It should work for what you want, but requires additional gear 😞

 

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS

 

 

Looks intriguing but they don't have Meraki gear at their datacenter.

Hmmmm....
PhilipDAth
Kind of a big deal
Kind of a big deal

You need to configure a /30 stub between the Meraki and the /22 network.  Add a static route via the /30 to the /22.  If it fails it will be withdrawn from the routing table on the MX automatically.

 

You will also be able to add the VPN then.

PhilipDAth, can you elaborate a little more on what you're suggesting?

Thanks!

Sure.  Don't plug the MX directly into 192.168.8.0/22.  Hopefully 192.168.8.0/22 is served by a layer 3 switch or some other layer 3 device.

 

On that layer 3 switch configure a new stub network, such as 192.168.255.252.0/30.  Give the layer 3 device the IP address 192.168.255.254.  Give the MX an IP address of 192.168.255.253.

 

Now on the MX add a route for 192.168.8.0/22 via 192.168.255.254.  The layer 3 switch will need routes back via the MX for whatever networks are on the other side of the MX.

 

 

Now if the MX looses its connection to 192.168.8.0/22 it will simply drop out of the routing table.

Thank you!  It's ironic - we initially suggested doing something like this, but they were against us making any sorts of changes to their MPLS setup.

 

At this point it's as easy as adding an interface on their Data Center firewall cluster in the /30 leaving the existing 192.168.8.0/22 on the Datacenter alone, changing the Meraki interface to the /30 and changing routing on both ends.  Then the VPN will just work.

 

I've detailed it to them, and hope they will come to their senses 🙂

 

Thanks!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels