Meraki

Community

MX behind another MX

Solved
GospodinMat1
Here to help
‎Oct 29 2021 10:16 AM
‎Oct 29 2021 10:16 AM

MX behind another MX

Hello everyone,

 

just wanted to see if this configuration is possible in any way.

 

We have two MX250 and two MX100, both should be in HA. The idea was to have the two MX250 as Internet border devices and two MX100 that connect to them and also connect to L2 service provider network through which they would bring up tunnels to other branch MXs connected to that same L2 network. In other words MX100s would be used as kind of a VPN hub for other branches and forward the traffic to MX250s if the traffic is destined towards Internet. Something like this:

FourMXs.PNG

 

I'm not sure however if MX100s can be connected to MX250s via LAN ports in a way that they could have cloud connectivity through them (since service provider L2 network doesn't have Internet access)?

 

If this is not a viable topology does someone have an alternate proposition/solution?

 

Best regards

0 Kudos
1 Accepted Solution
In response to GospodinMat1
cmr
Kind of a big deal
Kind of a big deal
‎Oct 29 2021 12:52 PM
‎Oct 29 2021 12:52 PM

Put the MX100s in VPN concentrator mode and have them in single ended mode off to the side.

 

Internet to MX250 WAN

MX250 LAN to switch

MX100 WAN to switch

MPLS router connected to switch

 

Switch is L3 and has routes to internet so everyone gets a connection

If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

9 Replies 9
Ryan_Miles
Meraki Employee
Meraki Employee
‎Oct 29 2021 10:43 AM
‎Oct 29 2021 10:43 AM

What is the WAN situation at the branches? L2 WAN and internet or just the L2 WAN?

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Ryan_Miles
GospodinMat1
Here to help
‎Oct 29 2021 12:43 PM
‎Oct 29 2021 12:43 PM

Hi,

 

Just the L2 WAN. The idea is that every branch should go to Internet through those MX250s.

 

Best regards

0 Kudos
In response to GospodinMat1
cmr
Kind of a big deal
Kind of a big deal
‎Oct 29 2021 12:52 PM
‎Oct 29 2021 12:52 PM

Put the MX100s in VPN concentrator mode and have them in single ended mode off to the side.

 

Internet to MX250 WAN

MX250 LAN to switch

MX100 WAN to switch

MPLS router connected to switch

 

Switch is L3 and has routes to internet so everyone gets a connection

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to cmr
Ryan_Miles
Meraki Employee
Meraki Employee
‎Oct 29 2021 9:41 PM
‎Oct 29 2021 9:41 PM

if the branches are just L2 connected why tunnel it in VPN at all? 

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Ryan_Miles
cmr
Kind of a big deal
Kind of a big deal
‎Oct 30 2021 1:43 AM
‎Oct 30 2021 1:43 AM

@Ryan_Miles we have two L2 networks that we needed to load balance and although @GospodinMat1 hasn't shown that, it may also be the case here?  Secondly we wanted to encrypt our traffic over the WAN as you can't just assume it is secure... 😈

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
GospodinMat1
Here to help
‎Oct 30 2021 3:31 AM
‎Oct 30 2021 3:31 AM

There's only one L2 network, everything goes over the same provider, however yes, the requirement is to encrypt the traffic that goes from the branches to center.

 

As I've mentioned, we're open to suggestions, primarily if this can be achieved in any way with just these 4 MXs...

In response to GospodinMat1
Ryan_Miles
Meraki Employee
Meraki Employee
‎Oct 30 2021 7:24 AM
‎Oct 30 2021 7:24 AM

the layout cmr suggested should meet your needs then

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Ryan_Miles
GospodinMat1
Here to help
‎Oct 31 2021 12:41 AM
‎Oct 31 2021 12:41 AM

@cmr 

 

Thank you for the proposition! If I understood it correctly, it would look something like this:

FourMXs2.PNG

 

I like it since if I had designed the solution from scratch, it would have probably done something similar. We were however given the equipment and told to do the best with what we have, so, as you can imagine I'm trying to come up with something that involves the existing hardware before we ask for some additional. 🙂

 

So I guess my question would be if this could be achievable with something like this:

FourMXs3.PNG

 

MX100s would still be terminating the VPN tunnels to branch locations on the L2 network while MX250s would, I guess, perform some kind of policy-based routing in a way that everything meant for branch communication would go on the WAN2 interface while all other traffic would go to WAN1.

 

Do you think this is a viable solution at all? Will we run into some VRRP, STP, or simply general connectivity problems with this topology?

 

Best regards

0 Kudos
In response to GospodinMat1
cmr
Kind of a big deal
Kind of a big deal
‎Oct 31 2021 1:02 AM
‎Oct 31 2021 1:02 AM

@GospodinMat1 the top diagram is exactly what we do, as for the lower diagram, it might work, but I'm not sure WAN2 would come up on the MX250s.  It's also one hell of a complex setup to troubleshoot!

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.