MX Broadcast Multicast Control

FlyingFrames
Building a reputation

MX Broadcast Multicast Control

We are designing a 1000 site deployment with Z3 as the teleworker solution. There are 1000 sites with one Z3 on each site. As per the documentation, these will be L2 tunnels from MX in the datacenter. If all of them are in one VLAN, can the MX acting as tunnel concentrator, provide some broadcast multicast knobs for controlling that traffic? Or would each site be subject to broadcast from another site?

7 Replies 7
NolanHerring
Kind of a big deal

I have no experience with multicast over or beyond the MX, but based on this document, multicast isn't supported over AutoVPN?

 

 

https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Multicast_support

IGMP Support on the Cisco Meraki Security Appliance

MX Security Appliances will forward IGMP traffic for a single broadcast domain. It does not forward multicast traffic upstream, between VLANs, or over a VPN.

 

 

I was under the impression that it was a new feature almost a year ago, so I'm not certain if they simply have not updated the documentation, or if you need to contact support to have them enable it (since it might be a hidden feature), which wouldn't surprise me.

 

 

Nolan Herring | nolanwifi.com
TwitterLinkedIn
BrechtSchamp
Kind of a big deal

As far as I know Site-to-site VPN tunnels on MX are always L3 tunneling. All branches will have their own subnet (and if they don't you'll need to contact Meraki support to have them enable VPN subnet translation.

 

So you don't have to worry about broadcast traffic from one branch reaching all other branches. Do you need L3 multicast?

 

Make sure you use either MX250's or MX450's  (two or more for redundancy) as Concentrator/Hub to support those 1000 tunnels. And use Spoke mode on the Z's as Mesh mode would require too many tunnels.

FlyingFrames
Building a reputation

Thanks everyone for their detailed inputs & recommendations. However, as per the following link, MR creates an L2 tunnel! 😞

 

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/MR_Teleworker_VPN

 

“A Meraki AP at a remote site establishes a layer 2 connection using an IPSec-encrypted UDP tunnel back to the corporate LAN. Tunnels are established on a per SSID basis, and terminate at headquarters on a Meraki MX security appliance. “

NolanHerring
Kind of a big deal

Hmm...I think your confusing two different technologies here.

The AP (MR model) doing a tunnel I do not think is the same as the Z3 (which is an MX model) doing a tunnel (which does L3).
Nolan Herring | nolanwifi.com
TwitterLinkedIn
BrechtSchamp
Kind of a big deal

I'm with Nolan. And Teleworker Z1 and Z3's also do L3.

PhilipDAth
Kind of a big deal
Kind of a big deal

You should reach out to a Cisco Meraki partner or a Meraki SE for assistance with designing a network of that size.

NolanHerring
Kind of a big deal

For reference, here is an older blog post but still good to read about using the MR tunnel mode (I don't recommend).

https://cantechit.com/2016/08/04/meraki-wireless-concentrator-tips-and-tricks/

Plus, you mentioned your using Z3 so that is AutoVPN (L3).
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Get notified when there are additional replies to this discussion.