Internet Failed over to DC

hianilz
Getting noticed

Internet Failed over to DC

Hi Team,

 

We have a setup like all our remoite sites Internet access will be locally breakout through Zscaler tunnels., if remote sites Internet link goes down we would like route entire site internet traffic to DC and get the access from DC internet links ? is it achievable through automatically ? i know we can achieve this by manually adding default route from Site-to-Site vpn --> Hubs--> tick on IPV4 defaulr route 

 

any thoughts or advices how can we achieve this ?

 

Note : Each remote sites has 2 links - Primary - Internet and Backup- MPLS

10 REPLIES 10
MarcP
Kind of a big deal

I´m absolutely not into API but maybe to code a script which checks if the primary uplink is working - if not change automatically routes?

 

On the other hand, shouldn´t this work with SD-WAN & traffic shaping on your MX?

MarcP_0-1649406441624.png

 

hianilz
Getting noticed

@MarcP  thanks for your reply, may be we need to try through API..but i tried to find required infromation in meraki documentation but i could not able to find that 😞

regards to your screen shot this is prioritise the internet traffic, by default always take WAN where we can forcefully move some trafffic to other link.., but this will not help us to failover automatically.

ww
Kind of a big deal
Kind of a big deal

"Note that if an MX-Z device is configured with a default route (0.0.0.0/0) to a Non-Meraki VPN peer, traffic will not fail over to the WAN, even if the connection goes down."

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_peers

hianilz
Getting noticed

@ww  thanks for you reply, this is not for Non-meraki vpn peer, what i am looking for is if my Internet link(local break out for internet and ready to take traffic for MPLS) goeas down at one of my  remote sites that site should take the inernet from my DC (HUB1) is this achievable ?

ww
Kind of a big deal
Kind of a big deal

I was asuming you had some 3rd party vpn tunnel with default route to zscaler.

 

Where does your default route at the mpls provider go? Because if you use a default route provided  at your dc then traffic always would flow that way. Like this design: https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS

hianilz
Getting noticed

@ww  at the moment default route is local Internet, if local internet goes down we want to route internet traffic to DC internet link via MPLS link by clicking the default route from Site-to-Site vpn --> Hubs--> tick on IPV4 default route, but for this manually we are doing, but we want to make this automatic 

ww
Kind of a big deal
Kind of a big deal

So thats not possible unless  you make something work with api.

But local breakout at mpls, default route  from the dc, as described in above url should be possible

PhilipDAth
Kind of a big deal
Kind of a big deal

Not with Zsaler.

 

Should be possible with Umbrella using the SD-WAN integration.  In this configuration, the tunnels are not "static" but dynamically built.  If the tunnel over the primary fails it will rebuild over the backup.

https://documentation.meraki.com/MX/Meraki_Umbrella_SDWAN_Connector/Deployment_Guide 

@PhilipDAth  thanks for your reply, sorry for confusion, i am talking about meraki to meraki tunnels one is thorugh MPLS and other through DIA, same DIA link will be used for local break out for same sites. If DIA link goes down site should be able to access \internet through HUB1 how this is achievable automatically 

PhilipDAth
Kind of a big deal
Kind of a big deal

You can't achieve this with Zscaler.  You have a non-meraki site to site VPN to ZScaler to the primary interface of the MX.  Sure the MX can failover, it will try and build the VPN from the MPLS interface, but the VPN to Zscaler won't come up as ZScaler will only be expecting it to come from the IP address of the primary interface.

 

You need something like Cisco Umbrella SIG which has failover support.

https://docs.umbrella.com/umbrella-user-guide/docs/getting-started 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels