Internal Exit Routes at the Data Center

MDHackett
Conversationalist

Internal Exit Routes at the Data Center

We're upgrading our SD-WAN with a new fiber vendor whose giving us a private fiber network connection.  They're connecting up to MX64's at our small sites, MX100's at our 2 larger sites and the Data Center.

 

We're planning to auto-VPN them to connect, use the Data Center as the exit hub.  However, there's a catch.  We have existing firewalls we want to route through instead of letting the MXs do that lifting (because it's already in place and heavily ruled.)  The fiber company is about ready to hand off their gear and let us plug in to test before we spend a Saturday afternoon going live.

 

Clearly the current issue we're struggling with is how to tell the DC MX100 to route outbound traffic to the internal xxx.xxx.15.254 address, opposed to the typical default route of 0.0.0.0 to the WAN uplink.  If we put in a static route of 0.0.0.0/32 going to xxx.xxx.15.254, then it comes up below the 0.0.0.0/0 route to the WAN uplink, so I'm not sure that's going to accomplish what we're looking for.

 

Should we try to set a default route on all the MX's to simply point to xxx.xxx.15.254 instead of the WAN uplink, and let the auto-VPN get the traffic over to the DC and pass it to the firewall that way?

2 REPLIES 2
ww
Kind of a big deal
Kind of a big deal

Put a 0.0.0.0/0 to the 15.254 at the location where firewall is. And advertise this in vpn

PhilipDAth
Kind of a big deal
Kind of a big deal

The branch sites - they have no direct Internet connection?  The "private fibre" is back to the DC only?

 

You are planning on using AutoVPN over these private links?

 

If the above is correct, then you'll be using this configuration:

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS 

 

The MX100 in the DC would normally be used in VPN concentrator mode.  It's default route would point to the existing firewalls (or it could point at a core L3 switch) and that device would be responsible for the routing.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels