Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX Backup Default Route

Solved
Mkozicki
Getting noticed
‎Apr 26 2023 6:01 AM
‎Apr 26 2023 6:01 AM

MX Backup Default Route

I have a customer that needs to have Auto-VPN backup connections for remote branch locations.  Each remote location has a direct 100 mbps connection over a metro ethernet provider.  They also want to have local internet at each branch location.

 

We have set this up and working fine putting the internet connection on wan 1 and the point to point connection on an internal port and setting up static routes (it would be nice if we could run routing protocols to do this they have a lot of networks at each branch).

 

In our setup we are using the local Internet connection to access the internet and all the traffic back to the main site is going over the point to point connection.  We tested shutdown of the point to point and all traffic fails over to the Auto-VPN connection just fine.

 

Our issue is that we want to set up a failover for the internet as well were if the branch internet should fail the remote branch can get internet from the main location along with the connections to all the other networks.  We don't want to use the point to point for internet unless the branch local internet connection is down.

 

Is this something that can be done?  I have not found a way to set this up but I may have missed it.


Thanks

Michael Kozicki
CCIE #5367
MJK Net Inc.
Labels:
0 Kudos
Subscribe
1 Accepted Solution
Ryan_Miles
Meraki Employee
Meraki Employee
‎Apr 26 2023 8:03 AM
‎Apr 26 2023 8:03 AM

Many customers do this by landing the private WAN connection on a MX WAN port. You then have AutpVPN tunnels over both links. So, you no longer require static routes. Routing is handled by AutoVPN and what networks are marked for VPN.

 

On the SD-WAN/traffic shaping page you can create rules for which WAN path to take. In this configuration internet bound traffic can take the private WAN path through HQ as you described.

View solution in original post

Subscribe
11 Replies 11
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 26 2023 7:29 AM
‎Apr 26 2023 7:29 AM

Maybe a topology like this one could be a solution.

 

 

alemabrahao_2-1682519331165.png

 

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
Mkozicki
Getting noticed
‎Apr 26 2023 7:36 AM
‎Apr 26 2023 7:36 AM

I guess it could but that is going to become much more complex than if there was just a way to have a backup static route for internet connections.

 

Perhaps there is a hidden option that I need to call support to have turned on.  Really what I need is just a way to have a lower priority default route that can point to the point-to-point link for if/when the internet connection is down.

 

I could make what you are showing work but I would have to build another L3 network outside the firewalls and that seems like more work and hardware than they are going to want to invest in.

Michael Kozicki
CCIE #5367
MJK Net Inc.
0 Kudos
Subscribe
Ryan_Miles
Meraki Employee
Meraki Employee
‎Apr 26 2023 8:03 AM
‎Apr 26 2023 8:03 AM

Many customers do this by landing the private WAN connection on a MX WAN port. You then have AutpVPN tunnels over both links. So, you no longer require static routes. Routing is handled by AutoVPN and what networks are marked for VPN.

 

On the SD-WAN/traffic shaping page you can create rules for which WAN path to take. In this configuration internet bound traffic can take the private WAN path through HQ as you described.

Subscribe
In response to Ryan_Miles
Mkozicki
Getting noticed
‎Apr 26 2023 8:05 AM
‎Apr 26 2023 8:05 AM

Is there a document on this on the Meraki site?  I did find one for using internal ports but this makes more sense.  I will see about doing a re-configuration for them once I go on site again in a few weeks.

 

They don't have MPLS they have 4 remote locations each with a point-to-point ethernet link.  So it's not a MPLS cloud but a bunch of point-to-point links.  I shoudl still be able to make what you are saying work.

 

Michael Kozicki
CCIE #5367
MJK Net Inc.
0 Kudos
Subscribe
In response to Mkozicki
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 26 2023 1:55 PM
‎Apr 26 2023 1:55 PM

This is a document on how to run AutoVPN over both an internal private network and a backup over the Internet.

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS 

 

Although MPLS is mentioned, there is no requirement for MPLS.  It just has to be a private network.

0 Kudos
Subscribe
GreenMan
Meraki Employee
Meraki Employee
‎Apr 26 2023 8:05 AM
‎Apr 26 2023 8:05 AM

I'd recommend you connect the Metro ethernet via WAN2 and configure proper SD-WAN, to address this.   As it appears it's an entirely private connection, you may want to ask Meraki Support to enable 'No-NAT' on the Metro ethernet uplink.   You would probably configure the primary uplink as WAN2 then, provided you don't advertise a default route from your SD-WAN Hub(s), Internet traffic will break out locally - and you would configure an any x5 SD-WAN flow preference for Internet traffic to prefer the Internet link.  Thus both services would be backed up over the opposite link.

Subscribe
In response to GreenMan
Mkozicki
Getting noticed
‎Apr 26 2023 8:19 AM
‎Apr 26 2023 8:19 AM

I forgot about the NAT issue from the above post.  For sure we need to not have NAT on the private connections because that would break a bunch of other security running behind the firewalls.


Thanks

Michael Kozicki
CCIE #5367
MJK Net Inc.
0 Kudos
Subscribe
In response to Mkozicki
Ryan_Miles
Meraki Employee
Meraki Employee
‎Apr 26 2023 8:22 AM
‎Apr 26 2023 8:22 AM

Keep in mind when you land private WAN on a MX WAN port and then do AutoVPN traffic isn't being NAT'd. It's L3 routed traffic inside a VPN.

Subscribe
In response to Ryan_Miles
Mkozicki
Getting noticed
‎Apr 26 2023 8:39 AM
‎Apr 26 2023 8:39 AM

Okay so we don't need to get the NAT turned off.  Thanks both of you.  The Auto-VPN solution seems simplest.

 

I will place a switch outside of the firewalls and connect all the Point-to-Point connections to that and put them all into a single L3 subnet so they can talk any to any.  Then I will make them all hubs for the auto-vpn and that should solve all the issues.

 

I don't know if there is a design guide for this but there should be one posted on the Meraki documentation site if there is not one already.


Thanks both of you for your assistance.

 

Mike

Michael Kozicki
CCIE #5367
MJK Net Inc.
0 Kudos
Subscribe
GreenMan
Meraki Employee
Meraki Employee
‎Apr 26 2023 8:52 AM
‎Apr 26 2023 8:52 AM

The native IP addressing is retained for traffic that flows within the VPN, but by default, when the Internet traffic flows over the metro ethernet circuit, it will be NATed behind the address assigned to that MX's WAN interface.   This should not be a problem for outbound sessions, but inbound ones (if you have them) would be blocked by the MX firewalling, by default.   If, for example, you have a system in your HQ that needs to initiate a session to a device on a VPN-disabled VLAN at your remote site, the NAT & firewalling will need to be addressed:  https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX

Unless you go for No-NAT

0 Kudos
Subscribe
In response to GreenMan
Mkozicki
Getting noticed
‎Apr 28 2023 7:44 AM
‎Apr 28 2023 7:44 AM

I forgot to mention that the MX250 at the head end already has 2 x internet connections so is there a work around to be able to still do this solution?

 

Also the 2nd WAN has to use DHCP because they ISP won't supply a static IP.

 

Is there a hidden feature to have a 2nd IP on a WAN interface or a way to make another port also function as a WAN interface?

 

Or a way to run an Auto-VPN on the inside ports?

Michael Kozicki
CCIE #5367
MJK Net Inc.
0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.