Internet failover to point-to-point?

SOLVED
Griz
Conversationalist

Internet failover to point-to-point?

Hi. I have a remote site connected to HQ over a dedicated point-to-point circuit using MX84 on both ends, and that site also has its own Internet circuit on WAN1.  I'm using AutoVPN on that circuit for failover in case the P-2-P goes down, and that works fine. What I'd like to know is: is there any way to configure that MX so that if the Internet circuit goes down, Internet traffic is routed to HQ over the P-2-P so that it can go out the HQ Internet connection? I have a cellular modem on the remote MX for Internet failover, but not only is it slower and more expensive, it failed to work over the weekend when the primary Internet went down until the MX was manually rebooted. Thanks for any thoughts.

1 ACCEPTED SOLUTION

Another way of achieving your desired result:

 

Assuming the PTP circuit is on a dedicated VLAN connected to the MX at the remote site, configure one LAN port as an access port on that VLAN. Connect WAN2 (still at the remote site) to the LAN port that's on the PTP VLAN with DHCP running at HQ. Now you have WAN2 routing over the PTP circuit and then out to the internet via the MX at HQ. I have this setup in my environment and it's working perfectly. I'm actually using WAN2 as the primary uplink for the remote site because the PTP --> Internet at HQ provides more bandwidth than WAN1.

View solution in original post

17 REPLIES 17
NSGuru
Getting noticed

Hi, @Griz What interface does the point to point connect to on the firewalls is it only a layer 2 point to point? In order to route (internet) traffic out the MX firewalls it must be connected to a WAN interface or so ive been told. 

Cloud Network Engineer | cloudIT
Certified Meraki Networking Associate

Kudo this if it helped! 🙂
Griz
Conversationalist

NSGuru,

The p2p uses one of the LAN ports (wouldn't want to NAT that traffic). I'm afraid you're right about the WAN interfaces, but was hoping for different, like maybe a way to set a "conditional" default route.

NSGuru
Getting noticed

@Griz Yea sorry I cant think of a good way to do it with a Meraki product. Im hoping they allow for a bit more customization of routing in the future on the Meraki firewalls and switches. I think the only reason they don't is it could cause major issues communicating to Meraki Cloud if not programmed properly. 

Cloud Network Engineer | cloudIT
Certified Meraki Networking Associate

Kudo this if it helped! 🙂
PhilipDAth
Kind of a big deal
Kind of a big deal

It would require a substantial re-configuration.

 

It would be easier to just go get yourself an extra backup Internet circuit or 4G.

Griz
Conversationalist

I did mention that I do have a cellular modem attached, but that it's quite a bit slower, and apparently not reliable. (this location is in a very rural area with very limited options). Are you saying it IS possible somehow? I'd be interested in hearing how--might be worth it!

PhilipDAth
Kind of a big deal
Kind of a big deal

To do it you have to turn the P2P circuit into an internet circuit.

 

So lets take a simple case.  Lets say at the remote site their is an ISP supplied modem with four ports doing NAT on the LAN side (so you can just plug in a computer and access the Internet).  You have the remote MX plugged into one of those ports.  Move the P2P circuit so that it also plugs into this ISP supplied router.

 

Now on your site move the P2P circuit to WAN2 on the local MX.  Enabled AutoVPN.  Set the preference so that VPN traffic prefers WAN2, and Internet can fail over to it.

 

So traffic between the two sites will flow over AutoVPN over the P2P circuit between the MX WAN ports.  The local site can now also fail over its Internet to that of the remote site.

Another way of achieving your desired result:

 

Assuming the PTP circuit is on a dedicated VLAN connected to the MX at the remote site, configure one LAN port as an access port on that VLAN. Connect WAN2 (still at the remote site) to the LAN port that's on the PTP VLAN with DHCP running at HQ. Now you have WAN2 routing over the PTP circuit and then out to the internet via the MX at HQ. I have this setup in my environment and it's working perfectly. I'm actually using WAN2 as the primary uplink for the remote site because the PTP --> Internet at HQ provides more bandwidth than WAN1.

With this approach HQ wont be able to access the LAN at the local site, because using the WAN port in this way will result in the local LAN being NATed.

Philip, in this scenario HQ is able to access the LAN on the far end because the PTP circuit is physically connected to the LAN side of the MX with an address assigned to the PTP VLAN. An additional LAN port in access mode on that VLAN is used to pass the traffic through to the WAN2 port. So essentially the WAN2 port is using the PTP VLAN to get back to HQ and out to the internet. You'll have a static route in place to make sure internally destined traffic to/from either side of the PTP circuit doesn't pass through the WAN interface.

Griz
Conversationalist

Sorry, haven't been able to check back in on my own topic for a couple of days. Thanks for the ideas. ScottWinCO, I think I see where you're going; in your scenario, when you say having DHCP running at HQ, do you mean just having the MX there run it and only serving up an address on the dedicated PTP VLAN, to be assigned to WAN2 on the other end? Would a warm-spare failover need any special considerations, do you think?

Griz, that's exactly right. I have a warm spare on one side of my PTP circuit and haven't needed any specific configuration to accommodate that. On the side where there's a warm spare, the PTP circuit is connected to a downstream switch so that if a failover occurs, or if I reboot the primary, traffic still flows over the PTP circuit. Would be happy to do a diagram if that helps.

Here's the guide that I followed when configuring the PTP circuit. I added to this a physical link from WAN2 to an access port on the PTP VLAN to facilitate the remote site being able to use the PTP circuit for internet via HQ.

 

https://documentation.meraki.com/MX-Z/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN

 

The guide shows an MPLS router in the middle. My PTP circuit is MOE and there's no router in the middle, so the subnet is the same on both sides for me.

So WAN2 gets an IP address that is also I in the same subnet as one of its LAN ports?

Yes that's correct.

I'm surprised - and happy - that approach works.

Griz
Conversationalist

I look forward to trying it as soon as I can. Thanks again!

 

 

ptp_public_pic.JPG

 

  • Want to Have Internet failover so if Site B's Cable Modem goes down, the Internet Connection can be routed through Site A using a 1GB Point To Point Fiber L2 Connection.
  • I've read above solution on how to accomplish this using a LAN Connection on Site A to the WAN Connection on Site B
  • I have Qnap's on both ends that I want to Synchronize (Rsync) at night after Backups complete, but will easily be instantly capped on the 500MBps limit on the MX84 at the backup site.
  • Would like to see if there is an alternate way to accomplish this so I can take advantage of the full 1GB link on the PTP connection using only LAN ports on the MX's.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels