MX WAN ports - Without NAT

SOLVED
ArielA
Comes here often

MX WAN ports - Without NAT

Hello,

 

I am thinking on a deployment of SD-WAN over two MPLS links at the branches.  Due to some reasons the customer is not (at this time) planning to replace one of the links by an Internet link.

 

This bring me to a question I do not find an easy answer for.  Is it possible to use the MX in routed mode without Nating the LAN side?  Is it possible to connect the MPLS links to the WAN ports of the MX, and skip NAT? 

 

I have read some post about No-NAT being in beta release, but it is from 3 years ago.  I am not sure whether this is currently a feature.

 

Thanks,

1 ACCEPTED SOLUTION
Bruce
Kind of a big deal

@ArielA, the MX doesn’t support any dynamic routing protocol on the WAN interfaces when set up in routed/NAT mode, so you first need to address that. You’ll need to speak with the MPLS VPN provider to see if they can set up a default route for the customer within the MPLS VPN. You then configure static addressing and default gateway on the MX WAN port and the MPLS network takes care of the routing.

 

Once the default route is in place on the MPLS VPN, establishing the SD-WAN on top of this is then pretty much the same outcome as the GRE tunnel you have at the moment except that it uses IPsec and it’s a lot more auto-magic, but you need the routing in the MPLS network to support it.

 

If the MPLS provider can’t provide a default route directly within the MPLS VPN then the MX probably isn’t the solution (yes, you could do GRE tunnels to a Cisco router, then put the MX on the end of it, but you’ll be doing an IPsec tunnel in a GRE tunnel). Personally if the MPLS provider can’t provide the default route I’d kick the MPLS provider and either find another one or do SD-WAN over internet links.

View solution in original post

9 REPLIES 9
Brash
Kind of a big deal
Kind of a big deal

No-NAT is possible but I believe it still requires Meraki Support to enable.

You also need to be running a semi recent firmware version - 15.x and above

Bruce
Kind of a big deal

@ArielA, what others have posted about No-NAT is correct, but if you are planning on doing SD-WAN then its not required. Traffic that enters an AutoVPN tunnel (such as in a SD-WAN environment) isn't NATed anyway, so when it pops-out the SD-WAN head-end it has exactly the same source IP address as when it entered.

 

Unless you really have to use No-NAT, and have a really clear reason for it, I'd avoid it as it adds other considerations to the deployment too - such as inbound firewalls.

 

Just remember if you are doing SD-WAN over MPLS private IP networks you need to have a default route to the internet from that network so each WAN port of the MX can register to the Meraki Dashboard and VPN registry.

ArielA
Comes here often

Hi Bruce,

 

Thanks for this insight.  

 

The deal with the No-NAT is to try to understand whether we can use the WAN/Internet ports of the MX to connect to the MPLS links.  Or if we would require to connect the MPLS links to LAN ports (with VLANs and subnets).

 

Not sure whether private links, not requiring address translation, could be connected to WAN/Internet ports of the MXs.

 

Thanks,

 

 

You absolutely can use MX WAN ports to link to your MPLS - and in many cases, you probably should.

As mentioned previously, for any Spoke VLANs that are configured to be 'VPN mode = enabled', their IP addressing will remain native across the VPN, inside the tunnels.

It's where you have VLANs that are 'VPN mode = disabled' where NAT comes in.   This might be for a Guest VLAN, for example.   Traffic from those VLANs, bound for anything other than a VLAN or route on the local MX would indeed be NATed out of the preferred WAN interface.  That doesn't mean that those clients can't access resources on the MPLS network (in fact, you may well want to take steps to ensure that they can't) - but the MPLS routing will need to account for the source IP being different.  Bear in mind too that any inbound session requests, (e.g. to a server at the spoke site), outside of any tunnels, will also be dropped, by default.  You would need to configure port forwarding, 1:1 NAT etc. to allow such communications.   https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX

 

You may well have come across MPLS links being connected to MX LAN ports - this too is possible, but it delivers to a failover scenario - it's not SD-WAN:   https://documentation.meraki.com/MX/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN

cmr
Kind of a big deal
Kind of a big deal

@ArielA we run an SD-WAN setup with 12 sites where 4 are using internet connections and 7 are using VPLS/MPLS connections. 

 

The main DC has both internet and VPLS/MPLS with the internet terminating on some other firewalls and the VPLS and MPLS terminating on a L3 switch with the default gateway pointing to those other firewalls.  At that site the MXs are in single armed concentrator mode.

 

Reading what I've written, we might need to do the same at the DR DC as if we lose the main site, the MPLS spokes will lose internet connection...

 

 

ArielA
Comes here often

Hi,

 

The scenario that I have is similar to the one you have described, except that this customer does not have VPLS/MPLS, but L3VPN/MPLS.  I am thinking now, how to achieve centralized (at the HQ) Internet connection from the branches with this MPLS (L3VPN) service in between. 

 

The MX would receive directly the MPLS links with no other router in front, such that such router could build a gre tunnel to HQ, and inject a default route.

 

Even when I think I could temporarily provide Internet access to the MX via an alternative path, I am not sure whether the MX can learn a default route from the HQ via the AutoVPN.

 

Any advice?

 

Bruce
Kind of a big deal

@ArielA, here is a document that explains how to set it up, https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS

You use a MX in concentrator mode at HQ, so that the traffic from the MPLS network can also get directly to the internet. Since HQ is the point where the MPLS network accesses the internet this is also where you inject the default route into the MPLS network. This allows all the MX devices access to the internet.

ArielA
Comes here often

Thanks Bruce for the advice.

 

I've seen that link before.  The point with that scheme (the one here https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS ) is that it assumes I can set the MX's default route to point to the Cisco MPLS router of the picture.  Currently, this Cisco MPLS router belongs to the customer, but it is EoSupport.  We are trying to replace that MPLS Cisco router with the MX, while also taking advantage of SD-WAN capabilities.

 

Currently, with that Cisco router acting as an MPLS router we have GRE + OSPF + a default route injected via OSPF from the HQ to the branch, and machines in the branch are able to reach Internet (centralized at the HQ) through the MPLS network, but via the overlay GRE tunnel.   

 

Removing that Cisco MPLS router from the picture would let just the MX directly receiving the MPLS links (this is what we are evaluating).  Under this setup, I think that pointing a default route to the MPLS PE router (not belonging to the customer) will blackhole the traffic with destination to the Internet.  The actual MPLS links do not include routing to the Internet.  

 

Here is where I ask for alternatives.  Is it possible the scheme we are evaluating? MX receiving the MPLS links directly? As far as I know MXs do not support GRE, such that we could collapse what the actual Cisco MPLS router is doing into the MX and do SD-WAN at the same time. Or do you think we would require two devices, a new MPLS router (Customer managed), and the MX behind it?. 

 

Thanks,  

Bruce
Kind of a big deal

@ArielA, the MX doesn’t support any dynamic routing protocol on the WAN interfaces when set up in routed/NAT mode, so you first need to address that. You’ll need to speak with the MPLS VPN provider to see if they can set up a default route for the customer within the MPLS VPN. You then configure static addressing and default gateway on the MX WAN port and the MPLS network takes care of the routing.

 

Once the default route is in place on the MPLS VPN, establishing the SD-WAN on top of this is then pretty much the same outcome as the GRE tunnel you have at the moment except that it uses IPsec and it’s a lot more auto-magic, but you need the routing in the MPLS network to support it.

 

If the MPLS provider can’t provide a default route directly within the MPLS VPN then the MX probably isn’t the solution (yes, you could do GRE tunnels to a Cisco router, then put the MX on the end of it, but you’ll be doing an IPsec tunnel in a GRE tunnel). Personally if the MPLS provider can’t provide the default route I’d kick the MPLS provider and either find another one or do SD-WAN over internet links.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels