Meraki

Community

MX67C + MG21 + Active/Active AutoVPN - How do I keep heavy traffic off of my cellular connection?

Crocker
A model citizen
‎Nov 10 2020 12:11 PM
‎Nov 10 2020 12:11 PM

MX67C + MG21 + Active/Active AutoVPN - How do I keep heavy traffic off of my cellular connection?

Wanted to check in and see what others have done/experienced. In short, I have a location with the following setup:

 

MX67C with WAN1 connected to a hardline ISP, WAN2 connected to an MG21 using an AT&T SIM

It is a full-tunnel spoke in a larger AutoVPN deployment

Active-Active AutoVPN is enabled

We have a simple SD-WAN policy defined that ships our traffic across whichever Uplink is 'best for VOIP traffic'

 

The setup appears to be mostly working as expected; However, we do end up sending quite a bit of heavy data across the cell connection at times - one example is our Microsoft SCCM software/update deployments. I'm not seeing any way to specify that defined traffic (to/from an IP&Port) should only ever traverse WAN1 and never WAN2.

 

We worked with support a few weeks ago, and they changed a hidden setting that should have forced the Cellular Failover Firewall Rules to act on WAN2 instead of the built-in (inactive) cellular interface on the MX67C; However, through testing I've found that this doesn't appear to work at all. I'm still chasing that up with support, but wanted to check in here with the community and get your thoughts.

 

 

0 Kudos
3 Replies 3
Bruce
Kind of a big deal
‎Nov 10 2020 12:29 PM
‎Nov 10 2020 12:29 PM

Hi @Crocker, I believe you’re right in that you can’t define an SD-WAN rule to use WAN1 and drop traffic if WAN1 fails, but you should be able to create SD-WAN rules to use WAN1 and then only WAN2 if WAN1 fails. 

Under the SD-WAN policies you can define VPN preferences based on source and destination IP addresses and TCP/UDP ports (custom expressions). On the MX make sure your Primary Uplink is configured to be your hardline ISP. This document goes through configuring SD-WAN policies, https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/SD-WAN_and_Traffic_Shaping

 

0 Kudos
In response to Bruce
Crocker
A model citizen
‎Nov 26 2020 8:00 AM
‎Nov 26 2020 8:00 AM

Support confirmed that the cellular failover rules will not work for Active/Active AutoVPN traffic, which is kind of a bummer.

 

I've experimented with the SD-WAN policies as well, and they too seem to not work properly. As a test, at one of my sites I put together a very simple rule:

 

Prefer WAN 1, failover if uplink down - 10.##.##.##/32 to Any, Any to 10.##.##.##/32

 

However, when I run a packet capture on the S2S over Internet1 and S2S over Internet2 interfaces, I see the traffic to/from the specified IP crossing both interfaces. I've notified support of this, and they have verified that the rule appears to be set up properly. The question is whether or not SD-WAN policies affect Active/Active AutoVPN traffic...

 

I'll follow-up once I have an official answer.

0 Kudos
ww
Kind of a big deal
Kind of a big deal
‎Nov 10 2020 2:57 PM
‎Nov 10 2020 2:57 PM

Regarding to the firewall for wan1/wan2. That works  only for non vpn traffic.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.