I don't think I can use MX as a Site to Site VPN & Internet uplink two sites A - B

SOLVED
ospsms
Here to help

I don't think I can use MX as a Site to Site VPN & Internet uplink two sites A - B

I have a simple two site WAN network with AT&T AVPN (MPLS Site to Site) w/NBFW off the default route, Internet setup WAN using Site A MX68 & Site B MX84 ... Single up-links per site to AT&T AVPN w/ network based Firewall...   

 

With a Cisco RV160 Edge Router at each site as the WAN Up-link I can add a Site to Site VPN between Site A & B and still use the NBFW to the internet using the Cisco Routers ... But I wanted the MX devices per/site to be the network Edge & the Vlan gateways for the LAN.

 

If I replace the Cisco Edge RV160 with the Meraki MX units as the Network Edge w/vlan GW,

I use the single up-link WAN at each site & get through to the NBFW. All Good

 

As soon as I turn up the Meraki VPN  Hub (Mesh), Each site loses the up-link to the NBFW...

Maybe I expected too much router similar capabilities of the MX devices to act like a Edge Router to the internet & VPN between the two sites concurrently...

 

I could always put the MX units behind the Cisco RV160 routers, but at that point I just wasted my money buying MX security devices for each site... 

 

Does anyone know of a simple AB site setup using MX devices at the network edge to have S2S VPN plus Internet w/NBFW on a single WAN up-link path? 

1 ACCEPTED SOLUTION
Bruce
Kind of a big deal

If you’re losing internet access when the AutoVPN comes up it sounds like you’re trying to use full tunnel, which you don’t want to be. Make sure there a no Exit Hubs configured in the AutoVPN settings at each site.

View solution in original post

5 REPLIES 5
KarstenI
Kind of a big deal
Kind of a big deal

I don't really get the problem here. Using the MX as the main firewall (with one or two uplinks, does not matter) and having VPN between all sites is probably one of the most implemented feature of the MX. Can you draw a picture of your topology detailing the problem?

ExampleExample

Bruce
Kind of a big deal

If you’re losing internet access when the AutoVPN comes up it sounds like you’re trying to use full tunnel, which you don’t want to be. Make sure there a no Exit Hubs configured in the AutoVPN settings at each site.

VPN established between both Site A & B ... with no Exit hub defined both sites vlans 1 & 2 can get out to the Internet NBFW also...     BUT ... no traffic passing between the AUTOVPN ... i.e. each vlan can not ping the other site's vlan GW 10.x.x.1 or any other addresses on those networks...    Next roadblock to troubleshoot... 

Bruce
Kind of a big deal

@ospsms, start with checking the status of the AutoVPN, make sure it is actually up. And check the route table to make sure the subnets of the other site have been learnt by the MX.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels