MX with no local internet breakout

General-Zod
Getting noticed

MX with no local internet breakout

Greetings!

 

I have a interesting tbc scenario in which a MX won't have anything connected to WAN1 or WAN2 or USB cellular.(until NBN is installed)

 

However there will be a MPLS link connected to a LAN port. The MPLS will provide site to site connectivity. The HQ which hangs off the MPLS has a proxy server and a local internet breakout.

 

I wish to deploy a MX in this fashion whilst leveraging the proxy server at the HQ not only for the MX management but for clients on the LAN.

 

This would be the mode of operation until the NBN service is installed.

 

Seeking some clarification that this would work. Not sure how the MX will behave if there is nothing connected to WAN1 / WAN2 or cellular.

 

Anyone had any exposure to this in the field?

 

Thanks in-advance

 

 

 

10 REPLIES 10
HitoshiH
Meraki Employee
Meraki Employee

Hello @General-Zod ,

 

I think MX will be online as long as cloud communication via proxy in HQ is available though both of Internet interfaces would be marked as failed until WAN services are provided.

 

If you create static route to the segment of proxy toward MPLS service, client can access to proxy server and internet access would be available.

 

Have a try and hope you can give internet access for the clients via MPLS & proxy until internet services are provided to the MX!

 

~~If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.~~

The Meraki ECMS exam is now live! Test your knowledge of Meraki and become an official Cisco Meraki Solutions Specialist. More info on the ECMS exam found here.

For information regarding all of Meraki's training offerings, be sure to check out the Meraki Learning Hub.

Thanks @HitoshiH 

 

Was hoping someone else in the field had actually tried this already saving me being the guinea pig.

 

I will have to setup a lab otherwise, thought I'd try here first though.

 

Thanks

PhilipDAth
Kind of a big deal
Kind of a big deal

AutoVPN is guaranteed not to work.  But it doesn't sound like you need this,

 

We need someone to test this.  Does the proxy support connections via the LAN interfaces only (as opposed to proxy via the WAN interfaces).

https://documentation.meraki.com/MX/Installation_Guides/MX64_Installation_Guide#Web_proxy_settings

 

 

An option that will work is to use the MX in pass-through or transparent mode, where it operates like a layer 2 switch.

https://documentation.meraki.com/MX/Networks_and_Routing/Passthrough_Mode_on_the_MX_Security_Applian... 

You would need to re-configure it again when you get your NBN circuit.

 

 

Thanks @PhilipDAth 

 

RE: Proxy, that is exactly what I want to confirm.

 

Passthrough no go, as the MX will be the MPLS router itself, so must be in routed mode. Could use WAN1 for MPLS but then it will NAT which isn't ideal for site to site traffic. Arrrrhh

 

When is the No-NAT feature going gold again? this would solve this issue and many others I have.

 

Cheers

jdsilva
Kind of a big deal

My money is on this not working. AFAIK MX requires a cloud connection on a WAN port, not a LAN port. But, interesting question and not one I can test myself so following this for an answer 🙂

After raising a ticket I got the following:

 

This is not a supported design for MX devices.

MX may still be able to pass the traffic on the LAN side without any WAN or cellular connections.

However, this will be no visibility of the configuration and operation of the device and not able to modify any configurations.

Please review this documentation regarding the behavior of MX loss access to the Meraki Cloud. Thanks!

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Behavior_during_Conn...

good to know!

 

Cheers

 

cmr
Kind of a big deal
Kind of a big deal

Why not use firmware 15.x and enable no NAT?  We use it for our 1500 user site to site SD-WAN over MPLS?

Hi @cmr 

 

As the 15.x release is in BETA, support will be limited and it wont fly with the customer. Glad it's functional for you though.

 

Cheers

cmr
Kind of a big deal
Kind of a big deal

@General-Zod I understand your reservations as an integrator (we are lucky in that we are the customer) but I would say that we have found the opposite, in that support often push to use a beta...!

 

We have even been mixing 15.14,15,18 and 20 in the same SD-WAN...


@cmr wrote:

Why not use firmware 15.x and enable no NAT?  We use it for our 1500 user site to site SD-WAN over MPLS?


can this issue be fixed with the declartion from @cmr?

I mean, that a WAN-Interface configured with NO-NAT reaching over MPLS (central Internet-Breakout) the Meraki Cloud for the Control-Traffic, etc.?!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels