MX67C + MG21 + Active/Active AutoVPN - How do I keep heavy traffic off of my cellular connection?

Crocker
Building a reputation

MX67C + MG21 + Active/Active AutoVPN - How do I keep heavy traffic off of my cellular connection?

Wanted to check in and see what others have done/experienced. In short, I have a location with the following setup:

 

MX67C with WAN1 connected to a hardline ISP, WAN2 connected to an MG21 using an AT&T SIM

It is a full-tunnel spoke in a larger AutoVPN deployment

Active-Active AutoVPN is enabled

We have a simple SD-WAN policy defined that ships our traffic across whichever Uplink is 'best for VOIP traffic'

 

The setup appears to be mostly working as expected; However, we do end up sending quite a bit of heavy data across the cell connection at times - one example is our Microsoft SCCM software/update deployments. I'm not seeing any way to specify that defined traffic (to/from an IP&Port) should only ever traverse WAN1 and never WAN2.

 

We worked with support a few weeks ago, and they changed a hidden setting that should have forced the Cellular Failover Firewall Rules to act on WAN2 instead of the built-in (inactive) cellular interface on the MX67C; However, through testing I've found that this doesn't appear to work at all. I'm still chasing that up with support, but wanted to check in here with the community and get your thoughts.

 

 

3 REPLIES 3
Bruce
Kind of a big deal

Hi @Crocker, I believe you’re right in that you can’t define an SD-WAN rule to use WAN1 and drop traffic if WAN1 fails, but you should be able to create SD-WAN rules to use WAN1 and then only WAN2 if WAN1 fails. 

Under the SD-WAN policies you can define VPN preferences based on source and destination IP addresses and TCP/UDP ports (custom expressions). On the MX make sure your Primary Uplink is configured to be your hardline ISP. This document goes through configuring SD-WAN policies, https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/SD-WAN_and_Traffic_Shaping

 

Crocker
Building a reputation

Support confirmed that the cellular failover rules will not work for Active/Active AutoVPN traffic, which is kind of a bummer.

 

I've experimented with the SD-WAN policies as well, and they too seem to not work properly. As a test, at one of my sites I put together a very simple rule:

 

Prefer WAN 1, failover if uplink down - 10.##.##.##/32 to Any, Any to 10.##.##.##/32

 

However, when I run a packet capture on the S2S over Internet1 and S2S over Internet2 interfaces, I see the traffic to/from the specified IP crossing both interfaces. I've notified support of this, and they have verified that the rule appears to be set up properly. The question is whether or not SD-WAN policies affect Active/Active AutoVPN traffic...

 

I'll follow-up once I have an official answer.

ww
Kind of a big deal
Kind of a big deal

Regarding to the firewall for wan1/wan2. That works  only for non vpn traffic.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels