Management Traffic

Dutra
Here to help

Management Traffic

Hi, everyone!

Hope you are doing well

 

There are some MX appliances in Hub Spoke topology. Each MX has two uplinks: an Internet link (Primary) and the MPLS network (Secondary) connected to the WAN-1 and WAN-2 ports respectively.

 

The feature active-active auto VPN is enabled.

 

In the case of Internet connection failure at spoke, the management traffic from this MX appliance at remote site can be forwarded to the Hub  through the Site-to-Site VPNs using the MPLS as transport and then go out to the Internet and reach the Meraki cloud?

 

Thank you in advance!

 

6 REPLIES 6
cmr
Kind of a big deal
Kind of a big deal

If you are advertising the default route from the hubs down the MPLS link then yes, equally if the MPLS has internet breakout then yes, otherwise you might need to do what we do which is have the hubs in single arm concentrator mode and have separate edge firewalls.

Bruce
Kind of a big deal

All that @cmr writes is correct. One thing to add is that the Meraki management traffic doesn’t enter the Auto-VPN tunnel, it is always sent directly from the MX interface, hence why your MPLS network needs a default route with a path to the internet.

Hi Bruce,


Thanks for the answer!


So the default route has to be configured at the MPLS routers, not on the MX appliances?


The MPLS network has not an exit to Internet yet but the project includes an MX appliance placed on a different site just for this purpose: for managent traffic coming from others MX appliances passing through the MPLS network breakout to Meraki Cloud through this specific MX using its Internet connection. All other traffic have to be blocked. I'm supposed to configure the firewall functions on this MX to do this job.


Do you think that it will work properly?


Thank you in advance!

cmr
Kind of a big deal
Kind of a big deal

@Dutra it would work, you would need the MPLS provider to advertise the default route from that site.

Dutra
Here to help

Hi @cmr 


Thanks for helping!


We are considering in this project that the MPLS network connections will be made on the WAN ports of the MX equipments, not on the LAN ports. I was wondering if the firewall rules created at the Exit MX will take effect allowing management traffic only.


Please tell me your opinion.


Thanks in advance!

cmr
Kind of a big deal
Kind of a big deal

On the site where the MX is being the internet for the management traffic, connect the MPLS to the LAN and connect the internet to the WAN.  It won't be part of the auto VPN so works better that way.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels