MPLS Failover to Meraki Auto VPN -- MXs in NAT-Mode

whistleblower
Getting noticed

MPLS Failover to Meraki Auto VPN -- MXs in NAT-Mode

mx-mavp-lab.PNGHi all,

 

I´d like to ask you some questions about a MPLS Failover to Meraki Auto-VPN design!

Note: please do not measure the sensibility of the deployment, I`m just thinking and try to get a better technical understanding how things could/would go 🙂

 

In my example topology two sites (Spokes) with MX security appliances (each in NAT-Mode) are connected over an MPLS connection as well as the Meraki site-to-site auto-VPN over Internet to their HQ-MX (Hub) also acting in NAT-Mode. The MPLS links are connected to LAN interfaces to prevent NATing of traffic. All Traffic (Corporate + Web) should utilize the MPLS connection, until a failure occurs, in which case the traffic will be sent over the Meraki auto-VPN. So in both cases the Internet Access should break out centrally!

In BO-01 is a File-Server located which has to be accessed from the Internet via a Public-IP - which is 1:1 mapped on the HQ-MX...

 

Q1-) when using the LAN Interfaces for the MPLS connection, is it possible to influence traffic (e.g. QoS re-marking, ACLs, etc.) -  or would it be better for these requirements to use NO-NAT on the 2nd WAN-Interface which is yet a beta feature?

 

Q2-) is it even possible to use the Hub MX (in NAT-Mode) to terminate the Auto-VPN Tunnels on the specified WAN-Link and also use that WAN-Interface for PAT the IP-Traffic from the Branch-LANs with all possible functionalites e.g. L3/L7-Firewall Rules, Content-Filtering, etc. without problems?

 

Q3-) if the MPLS connection of the BO-01 fails and all traffic is routed over the VPN-Tunnel; is access to the file server still possible in this case or are there perhaps problems with intra-interface traffic or anything other?

4 REPLIES 4
PhilipDAth
Kind of a big deal
Kind of a big deal

> Q1-) when using the LAN Interfaces for the MPLS connection, is it possible to influence traffic (e.g. QoS re-marking, ACLs, etc.)

 

There are no controls for QoS in this area.  You would need to rely on your MPLS router for doing this.

 

> or would it be better for these requirements to use NO-NAT on the 2nd WAN-Interface which is yet a beta feature?

 

>Q2-) is it evenis possible to use the Hub MX (in NAT-Mode) to terminate the Auto-VPN Tunnels on the specified WAN-Link and also use that WAN-Interface for PAT the IP-Traffic from the Branch-LANs with all possible functionalites e.g.

 

PAT does not act on AutoVPN traffic.  Only traffic coming in from the Internet.

 

?Q3-) if the MPLS connection of the BO-01 fails and all traffic is routed over the VPN-Tunnel; is access to the file server still possible...

 

This is quite a complex question because of all the failure scenarios.

If you put in a static route for each remote MX's LAN IP address.  The then created a tracked route for each of these that only sent the traffic if the ping worked then it would fail over.  In most other cases it would not fail over.

https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior#Static_Route_Tracking 

 

 

The AutoVPN over MPLS solution is more complicated to setup, but is superior in handling failure cases and has better SD-WAN capabilities.

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS 

Hi @PhilipDAth,

 

thank you for your answers on this so far!

I´d like to ask one more question about > Q1-) when using the LAN Interfaces for the MPLS connection...

I assume that when I statically route IP-Networks via a LAN Interface for to an e.g. MPLS Upstream-Router --> NO (traffic, etc.) statistics for that tinterface, no matter where on the Dashboard can be viewed - e.g.

whistleblower_0-1588189526251.png

correct?

 

If so, would this be possible when using the NO NAT/NAT Exemption on the WAN-Interface?

by the way -- As far as I can remember there has already a meraki documentation site exited... which pointed out to that it is currently recommended to use the LAN interfaces (for the time being) for native MPLS... maybe you know this link and can provide it to me?

 

> Q2-) With that question I meant whether it is possible to route IP networks that are not directly connected to the MX, but e.g. with static routes are known to NAT them via the WAN interface (central Internet-Breakout) and use at the same time this WAN interface for auto-VPN tunnel termination as well...

 

> Q3-) when setting up the the "AutoVPN over MPLS solution" I`d lose all of the advantages of the MPLS Network (Any-to-Any Communication, etc.) so that could be a drawback?!

 

Q1: You don't get er interface statistics, correct.  But client and traffic statistics still work.  If you use NO-NAT and a WAN interface you can see traffic interface statistics under uplink statistics.

Q2.  You can not add static routes via the NO-NAT WAN interface.  It only allows a default route.

Q3.  If you want any to any you would need to make every site an AutoVPN hub, but that will cause an explosion in the VPN peer numbers and may require bigger MXs than otherwise needed.  It is not common for spokes to need to talk directly to each other.

 

dsmith
Conversationalist

Great thread.  I have an additional question.

 

The great thing about using an MX in NAT mode with two WAN connections is that it can detect quality problems and failover traffic (i.e., not just a route hard down, but the preferred path having bad loss, jitter, delay).  

 

If you set up MPLS connections on the LAN side, you do not get this feature, as far as I've been able to discover.  Can you possibly confirm if this Is accurate?

 

If you set up the MPLS connections as WAN connections with AutoVPN, you *would* get this behavior (especially desirable for VoIP).  

 

However, the link you provided uses the one-armed-concentrator model of auto-VPN, which will eliminate the abiltiy to use the link tracking quality failover feature on the HQ side.  Is there some reason that the HQ end cannot also terminate the VPNs on WAN interfaces of a large MX operating in NAT mode?

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels