MPLS - VLAN Tagged Only

Solved
soundman353
Here to help

MPLS - VLAN Tagged Only

Hello All,

I am trying to setup Point to Point connection between two MX's. I have a copper handoff at the main office and a LX optic at the remote office. Both ports are being tagged by the ISP and have no IP addresses. At the main campus I have an 2nd copper handoff going to a router, with two vlans that are my internet connection. How can I setup up the AutoVPN with failover? In the Meraki guides the routers, and they have IP addresses. I have read the guides but now I am just confused.

Thanks,

Shawn

1 Accepted Solution

The solution that worked for me was to place a switch in front of the remote MX to receive the trunk port from the ISP. The remote MX is connected to an access port. I used one of the public IP's that was assigned to us for the uplink, and set that as a static IP.

On the main office side I placed a switch between the router and the main MX. The router and MX are connected to access ports, while the PTP connection is a trunk port. All of the ports are on the same VLAN.

Thanks for the help.

View solution in original post

8 Replies 8
GIdenJoe
Kind of a big deal
Kind of a big deal

As I understand it you simply don't have an internet connection at the remote site.
You can't have an MX there if you don't have an internet connection.

To be able to use the full SD-WAN you'd need an internet breakout on that MPLS circuit.
Since that's not the case you could however do the static LAN route over the MPLS circuit by defining a small subnet that is common to both main and remote and point to each others LAN subnets via that small subnet and make the route conditional to a ping to the other side.

But then you'd need an internet connection on the remote site to have an MX link to the internet and build an AutoVPN between the MX'es on both locations.  However that VPN will only be used as backup if the MPLS would have failed.

cmr
Kind of a big deal
Kind of a big deal

As long as the remote site is set to tunnel all traffic back to the main one and once it gets there it can get to the internet you will be fine.

 

The main site has the mx in concentrator mode and you put a layer3 switch in between the WAN connection and it.  The layer3 switch also routes to your corporate internet and it all works fine.

 

So remote site:

 

LAN->MX->WAN

 

Main site:

 

WAN->L3switch->MX

                   |

                  V

       Internet firewall

 

Sorry for text pictures, hope it makes sense!

cmr
Kind of a big deal
Kind of a big deal

For the IP at the remote site you have IP on WAN and gateway is interface on L3 switch at main site

If I have the ISP add the PTP VLAN to trunk port that feeds my router, can I use the router instead of more equipment?

 

So the remote MX would have an IP of 10.0.0.3/31 and the router would be 10.0.0.4/31?

The gateway for the remote MX would be 10.0.0.4 correct?

I would need to have a default route on the router to the main MX?

Not sure Meraki supports /31 subnets.  You could surely use /30 but if you ever consider HA pairs then you'd need /29's.

 

You would not need any routing to the internal subnets on the router because the MX box'es NAT all traffic going to the internet via that link.  And the AutoVPN is tunneled OVER that WAN address space.

 

So to recap once more:

You could have 2 WAN subnets behind the router, each serving as a point to point subnet between MX hub and router and also MX spoke and router.  If that router then further uplinks to the internet you will have following traffic patterns.

 

Hub internet traffic leaving WAN1 comcast will be NAT'ed to the comcast uplink.
Hub internet traffic leaving WAN2 would be NAT'ed to the small subnet between Hub and Router (say for example 10.0.0.2/29) and then routed to the internet and be NAT'ed again.  If double NAT is not your cup of tea you'd need public subnets between MX and router instead.
Hub local traffic going to spoke will be policy routed between both VPN tunnels.  So in case of going over comcast the UDP encrypted VPN traffic will just go over the internet to the spoke MX.
Hub local traffic going to spoke via the MPLS will first be encapsulated in VPN then go to the router, the router having both WAN subnets will just route between interfaces and will send the traffic over the MPLS to the WAN interface of the spoke MX.

I hope this clears it up a bit? ;D

The solution that worked for me was to place a switch in front of the remote MX to receive the trunk port from the ISP. The remote MX is connected to an access port. I used one of the public IP's that was assigned to us for the uplink, and set that as a static IP.

On the main office side I placed a switch between the router and the main MX. The router and MX are connected to access ports, while the PTP connection is a trunk port. All of the ports are on the same VLAN.

Thanks for the help.

Hopefully my diagram helps. This is the current setup. The main site MX is routed mode, as it is firewall for the system. I do have an internet connection at the remote site.

2020-05-08_17-01-29.jpg

So those 2 VLANs are meant to be routed subnets for your two MX'es?

Do those 2 VLANs exist behind the router?

I'm confused about about your drawing because it does not provide enough data about the subnets and the router.

1) You should be consistent with your internet connections, so on both MX'es put them on WAN1 or WAN2 but not mixed.

2) I'm guessing one of those VLANs exist behind the router as an uplink to the router to go to the internet via that MPLS provider.  So if it's only one VLAN behind the router you'd need that VLAN subnet to be /29 or lower so both MX'es and the router can have an IP in that subnet.  And that VLAN needs to cross the link between the sites.  If they are 2 separate VLANs for each site one. Then you can go with a /30 and have both MX'es in a separate VLAN and subnet with their WAN connection.  Then only that VLAN needs to match with the VLAN crossing the link to the other side.

In both cases you can have a full SD-WAN as long as you have the two VLANs at the router.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels