MX64 Configuration for MPLS/Internet

Ponceme
Getting noticed

MX64 Configuration for MPLS/Internet

Greetings all, I have been brainstorming ways to Maximize my MX64s capability over our current network and would like some community input on how it can be done better. Mind you I inherited the current layout as the Oncoming ISM.  Let me lay out the current configuration...

 

3 Branches and 1 HQ.

 

HQ: 192.168.0.0 /24

MX64: 192.168.0.254 

MS-220-48 (Connects to LAN 1 on MX64) 

MPLS ATTVPN (Fiber) (Connects to LAN 2 on MX64) 192.168.0.1

ATT ISP (INTERNET): Connects to WAN 1 on MX64

No VPN ACTIVE

 

BR2

MPLS ATTVPN (Connects to MS-225-24) :192.168.50.1

MS-225-24 

 

BR3

MPLS ATTVPN (Connects to MS-225-24) :192.168.40.1

MS-225-24 

 

BR4

MPLS ATTVPN (Connects to MS-225-24) :192.168.60.1

MS-225-24

 

As of right now, All traffic flows (phone (Nortel PBX) , Internet, LAN) However I can only fully monitor devices on the 192.168.0.0 /24 but I see that the MX64 is executing all the rules on the MPLS router, which in turns affects clients on the other side, however I cannot see any events for individual clients, just the rules are being enforced on the ATT MPLS router itself. I can also see every IP and MAC of the Branch Clients but cannot set their roles for traffic shaping configurations. Short of putting an MX at every site (Long Term Goal), is there a way to configure the MX64 and the Switches to route the traffic so that I can see all my Clients events as if we are all in the same building on 1 MX64.   Let me know if this configuration is way off and can be done better. Thank you in advance for your time and effort!

2 REPLIES 2
PhilipDAth
Kind of a big deal
Kind of a big deal

You want to keep each branch as a separate network in the Meraki Dashboard.

 

Because you have a Meraki switch at every branch already you should get detailed visibility of that traffic.  You are correct that you wont be able to do traffic shaping with just the switches.

 

So I'm going to give you a couple of thoughts - both involve putting an MX at every site.

1. Get rid of the MPLS, and put in a nice fibre Internet circuit at each site. Potentially put in a 4G circuit as well for redundancy.  You will get much greater uptime with this approach:

https://community.meraki.com/t5/Security-SD-WAN/MAIL-Meraki-array-of-inexpensive-links/td-p/22661

2. Keep the MPLS, but re-engineer it so that AutoVPN runs over it.

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS

3. Keep the MPLS, and use AutoVPN for failover.

https://documentation.meraki.com/MX-Z/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN

Thanks for the thoughts, I will eventually get the MX's there but unfortunately that's not in the budget for this go around. Thank you!!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels