Failover both Uplink and Metro-E network

PresITsupport
Here to help

Failover both Uplink and Metro-E network

We currently have MPLS connecting 6 locations. Routing is done by our ISP. Each location has a MX appliance in NAT mode.

We are moving away from MPLS and recently starting to implement Metro-E at our locations.
Each location has a designated cheap uplink. Currently I am using each location's core L3 switch to do failover routing for both MPLS/Metro-E and uplink ( I wanted it to use MX auto-vpn if MPLS/Metro-E goes down and if local uplink goes down, send default route to MPLS/Metro-E). Ultimately I want to move all these routes to MX, so I only need to manage local L3 routing on Core switch.

 

I attempted to setup this configuration, https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS, on our sites, but branch keeps forming autovpn over its own uplink instead of over Metro-E.

 

Did anyone figured this out? 

 

By the way, the HQ has two uplinks and Metro-E connection. site to site vpn is hub and spoke. Metro-E network is formed with /29 network.

8 Replies 8
PhilipDAth
Kind of a big deal
Kind of a big deal

To use AutoVPN over Metro-E you would plug the Metro-E circuit into a WAN port on the MX, not directly into your L3 switch.

PresITsupport
Here to help

That's how we set it up at one of our branch office. We connected Metro-E on WAN2, then setup traffic shaping to set WAN2 as primary uplink without load balancing, but the according to vpn status, it's forming an auto-vpn with WAN1 instead of WAN2.

WAN2 connection is setup to set gateway to HQ metro-e ip address.

 

HQ mx has metro-e on LAN port because its WAN1 and WAN2 has separate uplink ISP. 

PhilipDAth
Kind of a big deal
Kind of a big deal

What is providing the Metro-E circuit access to the Internet?

PhilipDAth
Kind of a big deal
Kind of a big deal

I see now.

 

The HQ MX also needs its WAN port connected to the Metro-E.  You would need to use an additional device to provide the Metro-E circuit access to the Internet.

 

You could use this approach instead:

https://documentation.meraki.com/MX-Z/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN

PresITsupport
Here to help

I thought about that design, where it provides backup internal route through auto-vpn. This scenario works with metro-e connected to MX's lan port on both branch and HQ site.

 

But with this scenario, doesn't it only provides failover to metro-e? 

What if my branch's uplink 1 goes down, and it does not have WAN2, can I setup static default route to go to HQ metro-E?

PhilipDAth
Kind of a big deal
Kind of a big deal

It does the opposite.  Metro-E is the primary circuit, and it only fails over to AutoVPN if the Metro-E circuit fails.

PresITsupport
Here to help

So with our setup, we cannot have a backup route to internet if branch's WAN goes down?

PhilipDAth
Kind of a big deal
Kind of a big deal

Only if you have the Metro-E circuit connected to a WAN port.  And you need to add a tracked route for every remote route.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels