cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MPLS Failover to Meraki Auto VPN -- MXs in NAT-Mode

Highlighted
Conversationalist

MPLS Failover to Meraki Auto VPN -- MXs in NAT-Mode

mx-mavp-lab.PNGHi all,

 

I´d like to ask you some questions about a MPLS Failover to Meraki Auto-VPN design!

Note: please do not measure the sensibility of the deployment, I`m just thinking and try to get a better technical understanding how things could/would go 🙂

 

In my example topology two sites (Spokes) with MX security appliances (each in NAT-Mode) are connected over an MPLS connection as well as the Meraki site-to-site auto-VPN over Internet to their HQ-MX (Hub) also acting in NAT-Mode. The MPLS links are connected to LAN interfaces to prevent NATing of traffic. All Traffic (Corporate + Web) should utilize the MPLS connection, until a failure occurs, in which case the traffic will be sent over the Meraki auto-VPN. So in both cases the Internet Access should break out centrally!

In BO-01 is a File-Server located which has to be accessed from the Internet via a Public-IP - which is 1:1 mapped on the HQ-MX...

 

Q1-) when using the LAN Interfaces for the MPLS connection, is it possible to influence traffic (e.g. QoS re-marking, ACLs, etc.) -  or would it be better for these requirements to use NO-NAT on the 2nd WAN-Interface which is yet a beta feature?

 

Q2-) is it even possible to use the Hub MX (in NAT-Mode) to terminate the Auto-VPN Tunnels on the specified WAN-Link and also use that WAN-Interface for PAT the IP-Traffic from the Branch-LANs with all possible functionalites e.g. L3/L7-Firewall Rules, Content-Filtering, etc. without problems?

 

Q3-) if the MPLS connection of the BO-01 fails and all traffic is routed over the VPN-Tunnel; is access to the file server still possible in this case or are there perhaps problems with intra-interface traffic or anything other?

1 REPLY 1
Highlighted
Kind of a big deal

Re: MPLS Failover to Meraki Auto VPN -- MXs in NAT-Mode

> Q1-) when using the LAN Interfaces for the MPLS connection, is it possible to influence traffic (e.g. QoS re-marking, ACLs, etc.)

 

There are no controls for QoS in this area.  You would need to rely on your MPLS router for doing this.

 

> or would it be better for these requirements to use NO-NAT on the 2nd WAN-Interface which is yet a beta feature?

 

>Q2-) is it evenis possible to use the Hub MX (in NAT-Mode) to terminate the Auto-VPN Tunnels on the specified WAN-Link and also use that WAN-Interface for PAT the IP-Traffic from the Branch-LANs with all possible functionalites e.g.

 

PAT does not act on AutoVPN traffic.  Only traffic coming in from the Internet.

 

?Q3-) if the MPLS connection of the BO-01 fails and all traffic is routed over the VPN-Tunnel; is access to the file server still possible...

 

This is quite a complex question because of all the failure scenarios.

If you put in a static route for each remote MX's LAN IP address.  The then created a tracked route for each of these that only sent the traffic if the ping worked then it would fail over.  In most other cases it would not fail over.

https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior#Static_Route_Tracking 

 

 

The AutoVPN over MPLS solution is more complicated to setup, but is superior in handling failure cases and has better SD-WAN capabilities.

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.