MX84 and MX65 topology design

Solved
getnyce32
Conversationalist

MX84 and MX65 topology design

So here is an easy.  New to Meraki and I'm have an MX84 and a MX65 to trial out.  The MX84 will go in my DC and the MX65 will go to a remote office.  The WAN connecting sites is  Layer2 ENS provided by Comcast.  In the DataCenter the router has two interfaces.  One is the WAN and the other is a LAN which is a /29 with an IP address of my core.  Do I put the MX84 in that /29 that has the Router LAN and Core on it?  It would be in One Armed mode. 

 

At the remote site would I just remove the router there and replace it with the MX64.  I would need to have two interfaces as well the WAN and the LAN (which would be the DG of the users)  Is this topology correct.  In case this is not clear I will be leveraging this for SDWAN

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

Your scenario discussed will work.

 

There are two common scenarios when deploying with a WAN.  You run a VPN over the existing WAN, and this is the guide used for that:

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS

 

The other is where you simply route over the private network (and you can fail over to AutoVPN):

https://documentation.meraki.com/MX-Z/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN

 

 

My preferred approach is to use the first method, where a VPN runs over everything.  I also configure the DC exactly the same as a branch.  I typically plug a backup Internet circuit into the second WAN port on the DC unit so if branches also have a separate Internet circuit they can fail over.

View solution in original post

6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal

Your scenario discussed will work.

 

There are two common scenarios when deploying with a WAN.  You run a VPN over the existing WAN, and this is the guide used for that:

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS

 

The other is where you simply route over the private network (and you can fail over to AutoVPN):

https://documentation.meraki.com/MX-Z/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN

 

 

My preferred approach is to use the first method, where a VPN runs over everything.  I also configure the DC exactly the same as a branch.  I typically plug a backup Internet circuit into the second WAN port on the DC unit so if branches also have a separate Internet circuit they can fail over.

One other question.  Assuming I go with the VPN solution for load balancing over two Private WANs (assuming in this case I have two WAN).  If a client in a remote location initiates a connection to a resource in the DC that initial traffic is encrypted and sent over the VPN.  however the return traffic would become asymmetric as the packet will be sent directly to the WAN router and never hit the MX for tunneling.   Do I make sense?

That would not be a good design.

 

If you want to use AutoVPN everywhere, then traffic to the remote AutoVPN branches must go via the MX at the DC - and not directly to the WAN tail.

Sounds like you need to update your routing design.  Once those remote sites are connected via VPN, that prefix should then be listed as reachable via the MX, not the previously used router.  Of course, you could weight routes to fall back to the legacy router if the VPN goes down.  But there should be no reason you have to live with the asymmetry as a normal condition.

 

Another possibility to consider is whether the legacy WAN links could be supported on the MX.  If so, you could leverage the various Meraki SD-WAN capabilities such as policy based routing to then use both routes for different applications.  But this raises additional questions around why you would be in a scenario of having two VPN links and a traditional WAN link to field locations.  I'm hoping once you complete a PoC with the Meraki gear you will actually be simplifying, not complicating your design 🙂

getnyce32
Conversationalist

Disclaimer, i'm new to the organization.  The WAN is an Verizon managed MPLS with the routers running BGP managed by Verizon.  Prior to me joining the organization another WAN solution was purchased (never designed) to sit along side the Verizon MPLS and be used for redundancy.  This secondary network isn't yet built because hardware requirements were never defined and as a result there are no routers to terminate the connect.  Enter the new network guy (me) and my recommendation of maybe the MX can help me out.  I'm looking to take this in a layered approach.  First I want to bring one remote site on MX over the Verizon MPLS with the possibility of connecting the second ENS Layer two connection into the MX.  In the DC I will put the MX on the same segment as the LAN of the Verizon router and my Core.  My core knows how to get to the remote site via the BGP redistribution into OSPF on my core.  It sounds like when I put in the MX i will need to enter a router that will instructor the core to send traffic destined to the remote site over to the MX instead of the Verizon router. 

That would be correct.

 

Listening to the complexity that you describe, I think you should get a Cisco partner involved.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels