Meraki

Community

MX with no local internet breakout

General-Zod
Getting noticed
‎Oct 27 2019 10:12 PM
‎Oct 27 2019 10:12 PM

MX with no local internet breakout

Greetings!

 

I have a interesting tbc scenario in which a MX won't have anything connected to WAN1 or WAN2 or USB cellular.(until NBN is installed)

 

However there will be a MPLS link connected to a LAN port. The MPLS will provide site to site connectivity. The HQ which hangs off the MPLS has a proxy server and a local internet breakout.

 

I wish to deploy a MX in this fashion whilst leveraging the proxy server at the HQ not only for the MX management but for clients on the LAN.

 

This would be the mode of operation until the NBN service is installed.

 

Seeking some clarification that this would work. Not sure how the MX will behave if there is nothing connected to WAN1 / WAN2 or cellular.

 

Anyone had any exposure to this in the field?

 

Thanks in-advance

 

 

 

0 Kudos
10 Replies 10
HitoshiH
Meraki Employee
Meraki Employee
‎Oct 27 2019 10:29 PM
‎Oct 27 2019 10:29 PM

Hello @General-Zod ,

 

I think MX will be online as long as cloud communication via proxy in HQ is available though both of Internet interfaces would be marked as failed until WAN services are provided.

 

If you create static route to the segment of proxy toward MPLS service, client can access to proxy server and internet access would be available.

 

Have a try and hope you can give internet access for the clients via MPLS & proxy until internet services are provided to the MX!

 

~~If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.~~

The Meraki ECMS exam is now live! Test your knowledge of Meraki and become an official Cisco Meraki Solutions Specialist. More info on the ECMS exam found here.

For information regarding all of Meraki's training offerings, be sure to check out the Meraki Learning Hub.
In response to HitoshiH
General-Zod
Getting noticed
‎Oct 27 2019 10:39 PM
‎Oct 27 2019 10:39 PM

Thanks @HitoshiH 

 

Was hoping someone else in the field had actually tried this already saving me being the guinea pig.

 

I will have to setup a lab otherwise, thought I'd try here first though.

 

Thanks

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 27 2019 10:46 PM
‎Oct 27 2019 10:46 PM

AutoVPN is guaranteed not to work.  But it doesn't sound like you need this,

 

We need someone to test this.  Does the proxy support connections via the LAN interfaces only (as opposed to proxy via the WAN interfaces).

https://documentation.meraki.com/MX/Installation_Guides/MX64_Installation_Guide#Web_proxy_settings

 

 

An option that will work is to use the MX in pass-through or transparent mode, where it operates like a layer 2 switch.

https://documentation.meraki.com/MX/Networks_and_Routing/Passthrough_Mode_on_the_MX_Security_Applian... 

You would need to re-configure it again when you get your NBN circuit.

 

 

In response to PhilipDAth
General-Zod
Getting noticed
‎Oct 27 2019 11:03 PM
‎Oct 27 2019 11:03 PM

Thanks @PhilipDAth 

 

RE: Proxy, that is exactly what I want to confirm.

 

Passthrough no go, as the MX will be the MPLS router itself, so must be in routed mode. Could use WAN1 for MPLS but then it will NAT which isn't ideal for site to site traffic. Arrrrhh

 

When is the No-NAT feature going gold again? this would solve this issue and many others I have.

 

Cheers

0 Kudos
In response to General-Zod
jdsilva
Kind of a big deal
‎Oct 28 2019 8:08 AM
‎Oct 28 2019 8:08 AM

My money is on this not working. AFAIK MX requires a cloud connection on a WAN port, not a LAN port. But, interesting question and not one I can test myself so following this for an answer 🙂

http://blog.brokennetwork.ca | @jdsilva
In response to jdsilva
General-Zod
Getting noticed
‎Oct 28 2019 10:38 PM
‎Oct 28 2019 10:38 PM

After raising a ticket I got the following:

 

This is not a supported design for MX devices.

MX may still be able to pass the traffic on the LAN side without any WAN or cellular connections.

However, this will be no visibility of the configuration and operation of the device and not able to modify any configurations.

Please review this documentation regarding the behavior of MX loss access to the Meraki Cloud. Thanks!

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Behavior_during_Conn...

good to know!

 

Cheers

 

In response to General-Zod
cmr
Kind of a big deal
Kind of a big deal
‎Oct 29 2019 10:46 AM
‎Oct 29 2019 10:46 AM

Why not use firmware 15.x and enable no NAT?  We use it for our 1500 user site to site SD-WAN over MPLS?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
General-Zod
Getting noticed
‎Oct 29 2019 4:40 PM
‎Oct 29 2019 4:40 PM

Hi @cmr 

 

As the 15.x release is in BETA, support will be limited and it wont fly with the customer. Glad it's functional for you though.

 

Cheers

In response to General-Zod
cmr
Kind of a big deal
Kind of a big deal
‎Oct 30 2019 12:55 AM
‎Oct 30 2019 12:55 AM

@General-Zod I understand your reservations as an integrator (we are lucky in that we are the customer) but I would say that we have found the opposite, in that support often push to use a beta...!

 

We have even been mixing 15.14,15,18 and 20 in the same SD-WAN...

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
whistleblower
Building a reputation
‎May 1 2020 1:00 AM
‎May 1 2020 1:00 AM

@cmr wrote:

Why not use firmware 15.x and enable no NAT?  We use it for our 1500 user site to site SD-WAN over MPLS?

can this issue be fixed with the declartion from @cmr?

I mean, that a WAN-Interface configured with NO-NAT reaching over MPLS (central Internet-Breakout) the Meraki Cloud for the Control-Traffic, etc.?!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.