MX-450 WAN port question default route

Solved
FDM
Here to help

MX-450 WAN port question default route

Hi,

 

I have a question about the WAN-1 port on a Meraki, does it need a default route to connect to the internet?

Suppose i have the below topology, the WAN-1 port is allowe to internet but has a private IP, remote sites connect on the private IP using auto-vpn.   I do not want the default route to be on WAN-1 but on VLAN-Y, VLAN-Y doesn't have internet access.

Will the WAN-1 still be able to connect to the internet?  WAN-1 ofc has a gateway configured.

 

FDM_1-1610974825401.png

 

1 Accepted Solution
GreenMan
Meraki Employee
Meraki Employee

MXs have a default route of last resort via either / both WAN ports by default and this can't be removed.  These paths will always be used for management traffic by the MX.   These WAN ports must be able to reach the Internet, somewhere upstream, in order for them to be deemed operable.   See  https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failo...

It's not important that the WAN ports themselves have a public IP address.

 

You can add static routes (including a default route) on the LAN side, if you so wish - this would affect 'user traffic' not MX management.

 

While you can form AutoVPN tunnels over a LAN interface, not that the destination for those will remain one of the physical IP addresses assigned to one of the WAN ports. Bear this in mind when considering any SD-WAN rules, for instance.

View solution in original post

6 Replies 6
GreenMan
Meraki Employee
Meraki Employee

MXs have a default route of last resort via either / both WAN ports by default and this can't be removed.  These paths will always be used for management traffic by the MX.   These WAN ports must be able to reach the Internet, somewhere upstream, in order for them to be deemed operable.   See  https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failo...

It's not important that the WAN ports themselves have a public IP address.

 

You can add static routes (including a default route) on the LAN side, if you so wish - this would affect 'user traffic' not MX management.

 

While you can form AutoVPN tunnels over a LAN interface, not that the destination for those will remain one of the physical IP addresses assigned to one of the WAN ports. Bear this in mind when considering any SD-WAN rules, for instance.

GreenMan
Meraki Employee
Meraki Employee

Actually - I realise I partially misinterpreted what you said;   you are not trying to terminate the VPN tunnels via the LAN interface (though what I said about that holds true)

 

Only the IP addresses physically assigned to the MX WAN ports and/or the public IPs that they NAT behind are considered, when forming tunnels.   VPN tunnels are formed based upon the public IP addresses of the MXs at each end.   

If both MXs break out via the same Public IP, they form their tunnel between the physical IPs.   If they have different Public IPs, they form between the two public IPs.

 

Your MPLS network will need to be able to break out to the Internet, as I mentioned in my previous reply.

 

GreenMan
Meraki Employee
Meraki Employee

It looks like you're putting the MX in question in a Data Centre?   Have you considered using one-armed VPN Concentrator mode?

FDM
Here to help

Hi Greenman,

 

Yes in considered placing it as One armed but this doesn’t suit my requirements. 
The wan ports will have private IP but with outbound internet access otherwise autovpn will not work. The tunnels will formed on private IPs then. 

Frederik

GreenMan
Meraki Employee
Meraki Employee

I'd be interested to hear what you would lose in VPNC mode, which you need?

FDM
Here to help

Hi,

 

I need to have a directly connected subnet. On one end of the firewall. Must be seperated physically. 
Otherwise i would Go for one armed would make my life easier. 

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels