We currently have MPLS connecting 6 locations. Routing is done by our ISP. Each location has a MX appliance in NAT mode.
We are moving away from MPLS and recently starting to implement Metro-E at our locations.
Each location has a designated cheap uplink. Currently I am using each location's core L3 switch to do failover routing for both MPLS/Metro-E and uplink ( I wanted it to use MX auto-vpn if MPLS/Metro-E goes down and if local uplink goes down, send default route to MPLS/Metro-E). Ultimately I want to move all these routes to MX, so I only need to manage local L3 routing on Core switch.
I attempted to setup this configuration, https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS, on our sites, but branch keeps forming autovpn over its own uplink instead of over Metro-E.
Did anyone figured this out?
By the way, the HQ has two uplinks and Metro-E connection. site to site vpn is hub and spoke. Metro-E network is formed with /29 network.
To use AutoVPN over Metro-E you would plug the Metro-E circuit into a WAN port on the MX, not directly into your L3 switch.
That's how we set it up at one of our branch office. We connected Metro-E on WAN2, then setup traffic shaping to set WAN2 as primary uplink without load balancing, but the according to vpn status, it's forming an auto-vpn with WAN1 instead of WAN2.
WAN2 connection is setup to set gateway to HQ metro-e ip address.
HQ mx has metro-e on LAN port because its WAN1 and WAN2 has separate uplink ISP.
What is providing the Metro-E circuit access to the Internet?
I see now.
The HQ MX also needs its WAN port connected to the Metro-E. You would need to use an additional device to provide the Metro-E circuit access to the Internet.
You could use this approach instead:
https://documentation.meraki.com/MX-Z/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN
I thought about that design, where it provides backup internal route through auto-vpn. This scenario works with metro-e connected to MX's lan port on both branch and HQ site.
But with this scenario, doesn't it only provides failover to metro-e?
What if my branch's uplink 1 goes down, and it does not have WAN2, can I setup static default route to go to HQ metro-E?
It does the opposite. Metro-E is the primary circuit, and it only fails over to AutoVPN if the Metro-E circuit fails.
So with our setup, we cannot have a backup route to internet if branch's WAN goes down?
Only if you have the Metro-E circuit connected to a WAN port. And you need to add a tracked route for every remote route.