MX-105 BGP deployment as Edge(y) device

Solved
StephenSureau
Conversationalist

MX-105 BGP deployment as Edge(y) device

Hi,

 

I work for a state agency where we must procure our WAN connections via another state agency that handles a lot of services for the state. We also aren't allowed to roll our own vpn or SD-WAN due to this regulation which seems like it may be a sticking point for using the MX. The rest of my network infrastructure is comprised of Meraki switches so I looked into the MX when I needed to replace the cisco layer 3 switch providing our connection to their network and our WAN connection. CDW assured me it would work for my situation and so I purchased some for our different office locations. It looks like routed mode would be best for my situation but I read that this would cause the MX to NAT traffic to it's WAN connection interface which wouldn't be good. I'm a bit lost as how to proceed and will be opening a ticket with Meraki but thought I would ask here as well. 

 

My topology will be mx.JPG

1 Accepted Solution
Ryan_Miles
Meraki Employee
Meraki Employee

Routed mode BGP is new in 18.2 and does support peering on the WAN and LAN. Still basically in beta and requires Support to enable it today.

 

Some design examples are shown here https://documentation.meraki.com/MX/Networks_and_Routing/Border_Gateway_Protocol_(BGP)#Scenario_4:_R...

 

I'd recommend you talk through the design requirements/goals with your Meraki SE. From what I gather from this thread I'm not sure you were given proper guidance from the partner or perhaps they didn't understand your requirements. 

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal

Here is some information.

 

  • Mixed operation of MX14 and MX15/16 networks is NOT supported
  • IPv6 is currently only supported in One-Armed Concentrator mode
  • To enable routed mode BGP there are two requirements:
    • MX must be running MX 18.205 or higher firmware, 
    • You will also require the MX to be put into No-NAT mode, please reach out to support to have this enabled. 

https://documentation.meraki.com/MX/Networks_and_Routing/Border_Gateway_Protocol_(BGP)

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
StephenSureau
Conversationalist

Thanks so much for the info on the No-NAT mode! That is very helpful I appreciate it. Luckily not running ipv6 so that isn't an issue for this deployment. I'll be running one MX-105 at our main office and MX-85s at our satellite offices. We also have two data centers and Azure which we connect to as well just for context. Any ideas on how to configure this on the MX to work as I wish?

StephenSureau
Conversationalist

Specifically I was wondering about the Auto-VPN portion that needs to enabled in order to use BGP. Is there a way to leverage this without actually routing any traffic to the vpn? Also if the vpn tunnels goes down will BGP also go down for the rest of the routing? Thanks

alemabrahao
Kind of a big deal
Kind of a big deal

The documentation has some scenarios, have you checked them out?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
StephenSureau
Conversationalist

Yes I've been over them and all the documentation I could find but none of the scenarios seem that close to mine. I see that the routed mode scenario 4 is likely the closest to my scenario but I won't be using the vpn at all. My LAN will be connected via one of the LAN ports and all that traffic needs to route through the MX device. All the LAN traffic will be routed to the MX via our Palo Alto on site. The WAN connection will be connected to 4 BGP peers for our uplink/WAN. So really all the MX needs to do is have a static route to the Palo Alto for all 10.2.0.0/16 (LAN space) and handle route distribution on the WAN connection. I may introduce more features later on if the MX handles the traffic as I expect it should but I need to get it's main function operational.

alemabrahao
Kind of a big deal
Kind of a big deal

To be honest, as far as I know, just like OSPF, BGP is just for routing traffic within SD-WAN, so I believe that MX will not meet what you want.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Ryan_Miles
Meraki Employee
Meraki Employee

Routed mode BGP is new in 18.2 and does support peering on the WAN and LAN. Still basically in beta and requires Support to enable it today.

 

Some design examples are shown here https://documentation.meraki.com/MX/Networks_and_Routing/Border_Gateway_Protocol_(BGP)#Scenario_4:_R...

 

I'd recommend you talk through the design requirements/goals with your Meraki SE. From what I gather from this thread I'm not sure you were given proper guidance from the partner or perhaps they didn't understand your requirements. 

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Ryan_Miles
Meraki Employee
Meraki Employee

Wanted to clarify one bit. BGP on the LAN side of the MX doesn't require Support involvement. With firmware 18.2 on a supported hardware model this BGP can be enabled. BGP on the WAN side is what requires Support enablement at the moment.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels