Meraki

Jai1 · ‎Sep 16 2019

Hoping for some help in setting up an MX in an MPLS environment.

For now, there is only an MX at Head Office while this is trialled. If all goes well, we would add them everywhere but I am having trouble getting it going.

I am after DHCP, Client VPN and some content filtering features so I have to have it in "Routing Mode", not Passthrough. We also have 2 VLANs (data and voice) that I need on the LAN side.

Reading some other posts I am reluctant to try the Beta No Nat feature as it seems there are some minor issues?

I found and read through this article: https://documentation.meraki.com/MX/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN

but can't seem to get this working.

From the diagram, it seems the MPLS connection has an interconnect range of 192.168.128.0/24 and an actually used range (on the LAN) of 10.15.10.0/24.

I have tried a similar approach but with a /28 range on the interconnect.

Due to having 2 ranges, the MX would have to have VLAN ID's assigned to each, I have chosen VLAN1 for the LAN and VLAN5 for the MPLS range. The MPLS Cisco router also has VLAN 5 configured.

Port 1 on the LAN of the Meraki is set to Access Native VLAN5 however the 2 devices can't see each other.

i'm also not sure how I can add routes to send everything out the MPLS link. There is already a 0.0.0.0/0 route in for the WAN which can't be removed.

Trying to add 2x /1 ranges instead fails as well since they then overlap my 192.168 LAN range.

Am I overthinking this? I really just want the DHCP etc. control on the MX and then a WAN of the MPLS. Long term though we will possible add a local internet break out but that will be a future issue.

General-Zod · ‎Sep 16 2019

Hi Jai1, I'm assuming you have a internet service hanging off the MPLS network upstream somewhere? Since you have no local internet break out this gets complicated. The default route for a MX is always a Internet Port, not another vlan'd interface (MPLS). The assumption with the MPLS failover to Auto-VPN is that you do indeed have a local internet breakout. The other complication is that if you assign the Internet port on the MX to face your MPLS service your MX will automatically perform source NAT, as you mentioned before the No-NAT feature is only available in BETA at this stage so definitively not suitable for prod environments. If your after a DHCP mechanism at each site perhaps the telco provided router can have DHCP relay configured for each vlan pointing back to the Head Office DHCP server? You could also have a suitably spec'd MX at the Head Office which faces a local internet connection in which you could perform the client VPN termination and leverage the Advance License (webfiltering, amp etc) Cheers

PhilipDAth · ‎Sep 16 2019

@General-Zod is right.

Meraki is made for and environment where the Internet plugs directly into the MX and it is your firewall.

In your case, you have a provider giving you a firewall and Internet sevice via the MPLS cloud.

You may be better trialling this at home, as your network will need to be chanegd completely. You may well not end up using MPLS at all.

Jai1 · ‎Sep 16 2019

This is a shame as I wanted to take control of some of the things we rely on the Telco for such as DHCP (which is on the router at some sites).

We also want some Client Traffic visibility.

I'm guessing the No Nat though in the end would do what we want?

PhilipDAth · ‎Sep 16 2019

I would use pass through mode if you are not ready to make the big jump.

General-Zod · ‎Sep 16 2019

Having a no NAT function would certainly open up more possibilities, which is why I’m stinging for the gold release with this feature.

i have many use cases for this feature but have had to re-engineer accordingly with alternate products.

hopefully we don’t have to wait too long

cheers

Meraki

Community

MX with MPLS

MX with MPLS