MX behind another MX

SOLVED
GospodinMat1
Conversationalist

MX behind another MX

Hello everyone,

 

just wanted to see if this configuration is possible in any way.

 

We have two MX250 and two MX100, both should be in HA. The idea was to have the two MX250 as Internet border devices and two MX100 that connect to them and also connect to L2 service provider network through which they would bring up tunnels to other branch MXs connected to that same L2 network. In other words MX100s would be used as kind of a VPN hub for other branches and forward the traffic to MX250s if the traffic is destined towards Internet. Something like this:

FourMXs.PNG

 

I'm not sure however if MX100s can be connected to MX250s via LAN ports in a way that they could have cloud connectivity through them (since service provider L2 network doesn't have Internet access)?

 

If this is not a viable topology does someone have an alternate proposition/solution?

 

Best regards

1 ACCEPTED SOLUTION
cmr
Kind of a big deal
Kind of a big deal

Put the MX100s in VPN concentrator mode and have them in single ended mode off to the side.

 

Internet to MX250 WAN

MX250 LAN to switch

MX100 WAN to switch

MPLS router connected to switch

 

Switch is L3 and has routes to internet so everyone gets a connection

View solution in original post

9 REPLIES 9
rymiles
Meraki Employee

What is the WAN situation at the branches? L2 WAN and internet or just the L2 WAN?

Hi,

 

Just the L2 WAN. The idea is that every branch should go to Internet through those MX250s.

 

Best regards

cmr
Kind of a big deal
Kind of a big deal

Put the MX100s in VPN concentrator mode and have them in single ended mode off to the side.

 

Internet to MX250 WAN

MX250 LAN to switch

MX100 WAN to switch

MPLS router connected to switch

 

Switch is L3 and has routes to internet so everyone gets a connection

View solution in original post

rymiles
Meraki Employee

if the branches are just L2 connected why tunnel it in VPN at all? 

cmr
Kind of a big deal
Kind of a big deal

@rymiles we have two L2 networks that we needed to load balance and although @GospodinMat1 hasn't shown that, it may also be the case here?  Secondly we wanted to encrypt our traffic over the WAN as you can't just assume it is secure... 😈

GospodinMat1
Conversationalist

There's only one L2 network, everything goes over the same provider, however yes, the requirement is to encrypt the traffic that goes from the branches to center.

 

As I've mentioned, we're open to suggestions, primarily if this can be achieved in any way with just these 4 MXs...

the layout cmr suggested should meet your needs then

@cmr 

 

Thank you for the proposition! If I understood it correctly, it would look something like this:

FourMXs2.PNG

 

I like it since if I had designed the solution from scratch, it would have probably done something similar. We were however given the equipment and told to do the best with what we have, so, as you can imagine I'm trying to come up with something that involves the existing hardware before we ask for some additional. 🙂

 

So I guess my question would be if this could be achievable with something like this:

FourMXs3.PNG

 

MX100s would still be terminating the VPN tunnels to branch locations on the L2 network while MX250s would, I guess, perform some kind of policy-based routing in a way that everything meant for branch communication would go on the WAN2 interface while all other traffic would go to WAN1.

 

Do you think this is a viable solution at all? Will we run into some VRRP, STP, or simply general connectivity problems with this topology?

 

Best regards

cmr
Kind of a big deal
Kind of a big deal

@GospodinMat1 the top diagram is exactly what we do, as for the lower diagram, it might work, but I'm not sure WAN2 would come up on the MX250s.  It's also one hell of a complex setup to troubleshoot!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels