Hi,
Is this correct that each WAN ports in MX needs access to Internet (to reach the Meraki dashboard)? If a customer has one internet link and MPLS link at branch site connected to MX, is it a must that the MX at the branch location must have access to the Internet via the MPLS link to send its management traffic to the Cloud. This Internet connection will most likely be provided via HQ/DC? If the internet at HQ/DC goes down what happens to the WAN port which has MPLS connected at the branch site, does it stop forwarding traffic? what happens in case of non-sdwan and sd-wan scenarios?
Yes, it is.
https://documentation.meraki.com/MX/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN
Hi,
In this case (Link provided) there is no Auto-VPN on MPLS but in my case i need Auto-VPN on MPLS also, in that case if the internet link at HQ/DC goes down the IPSEC tunnel on my MPLS will go down and MPLS WAN port on MX will get disabled?
Check it out.
https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS
why not?
Yes. All Meraki equipment requires internet access, one way or the other, in order to be managed by the Dashboard in the Cloud.
If your Branch is only connected to the Internet via MPLS and your HQ is the exitpoint for the MPLS, and the MPLS router at the HQ goes down, then yes. Your Branch site will also loose connectivity to the Cloud.
However, even though the Meraki equipment looses connectivity to the Cloud, it will still be able to switch locally. So your devices will still be able to use they Local Network, eventhough the MX can not reach the cloud.
If the HQ internet connection goes down, but the MPLS stays up, then the AutoVPN connections over the MPLS should stay up. They will use the private IP addresses on the MPLS to talk to each other.
We ran this with the DC MX in concentrator mode and it worked.
Are you sure? How long did the AutoVPN on MPLS stayed up? I recon it will come down as the source address on the registry will be blank?
Configuring Site-to-site VPN over MPLS - Cisco Meraki Documentation
We had a planned maintenance by our ISP and by mistake they took down both diverse circuits... They were both down for maybe an hour or so and the tunnels stayed up. They should stay up when the registry is unavailable, although new tunnels cannot be formed. Unless I am mis-remembering...
You could also plug the MPLS circuit into a LAN port, and use static routing on te MX to get to the rest of the MPLS world.
that's true but i do need MPLS to also have IPSEC tunnel. but lets say i do this (MPLS circuit into LAN port in branch), but i have one armed concentrator in HQ, how will the one armed concentrator know to make IPSEC tunnels (autovpn) over internet and not over MPLS?
In that case, stick to using the WAN ports to keep things simple.
correct but i need to know what happens to the tunnels (autovpn) or manual on MPLS links then HQ internet goes down, do they stay up or go down?