Meraki Community

Aamir

Hi,

Is this correct that each WAN ports in MX needs access to Internet (to reach the Meraki dashboard)? If a customer has one internet link and MPLS link at branch site connected to MX, is it a must that the MX at the branch location must have access to the Internet via the MPLS link to send its management traffic to the Cloud. This Internet connection will most likely be provided via HQ/DC? If the internet at HQ/DC goes down what happens to the WAN port which has MPLS connected at the branch site, does it stop forwarding traffic? what happens in case of non-sdwan and sd-wan scenarios?

alemabrahao

Yes, it is.

https://documentation.meraki.com/MX/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Aamir

Hi,

In this case (Link provided) there is no Auto-VPN on MPLS but in my case i need Auto-VPN on MPLS also, in that case if the internet link at HQ/DC goes down the IPSEC tunnel on my MPLS will go down and MPLS WAN port on MX will get disabled?

alemabrahao

Check it out.

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Aamir

why not?

Aamir

Configuring Site-to-site VPN over MPLS - Cisco Meraki Documentation

rhbirkelund

Yes. All Meraki equipment requires internet access, one way or the other, in order to be managed by the Dashboard in the Cloud.

If your Branch is only connected to the Internet via MPLS and your HQ is the exitpoint for the MPLS, and the MPLS router at the HQ goes down, then yes. Your Branch site will also loose connectivity to the Cloud.

However, even though the Meraki equipment looses connectivity to the Cloud, it will still be able to switch locally. So your devices will still be able to use they Local Network, eventhough the MX can not reach the cloud.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

cmr

If the HQ internet connection goes down, but the MPLS stays up, then the AutoVPN connections over the MPLS should stay up. They will use the private IP addresses on the MPLS to talk to each other.

We ran this with the DC MX in concentrator mode and it worked.

Aamir

Are you sure? How long did the AutoVPN on MPLS stayed up? I recon it will come down as the source address on the registry will be blank?

Configuring Site-to-site VPN over MPLS - Cisco Meraki Documentation

cmr

We had a planned maintenance by our ISP and by mistake they took down both diverse circuits... They were both down for maybe an hour or so and the tunnels stayed up. They should stay up when the registry is unavailable, although new tunnels cannot be formed. Unless I am mis-remembering...

PhilipDAth

You could also plug the MPLS circuit into a LAN port, and use static routing on te MX to get to the rest of the MPLS world.

Aamir

that's true but i do need MPLS to also have IPSEC tunnel. but lets say i do this (MPLS circuit into LAN port in branch), but i have one armed concentrator in HQ, how will the one armed concentrator know to make IPSEC tunnels (autovpn) over internet and not over MPLS?

PhilipDAth

In that case, stick to using the WAN ports to keep things simple.

Aamir

correct but i need to know what happens to the tunnels (autovpn) or manual on MPLS links then HQ internet goes down, do they stay up or go down?

Meraki Community

MX and Interent

MX and Interent