cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Meraki Design

BT1
Here to help

Meraki Design

I'm kind of new to Meraki and trying to know how the VPN tunnels are established on the branch MX when primary is Internet and secondary is MPLS and vice versa.

 

how can we know like what are the tunnels branch site MX is making with Internet and MPLS ports?

3 REPLIES 3
ww
Kind of a big deal
Kind of a big deal

Re: Meraki Design

https://meraki.cisco.com/blog/2018/06/all-about-autovpn/

 

Both ports need a default route to get to the internet and meraki registry. 

Plain internet uses the public ip to build the vpn tunnel. Mpls use the private ip to direclty build the vpn to the other mpls location 

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS

BT1
Here to help

Re: Meraki Design

Hey, thanks a lot for your reply.

 

However, there are two things that needs more clarification:

 

1> I understand both MX ports have inbuilt default route toward default gateway(that we configure) so as soon as ports are assigned with IP addresses(Pulbic and Private) they would send the Internet traffic to their default gateway(by default feature) to make connection with VPN registry. Is this right? or we need to point some static entry in MX for default route. IF yes then how.

2> how the branch MPLS port is going to make auto vpn with HUB site when it has no direct route for Internet as private IP is configured to this port? I mean what configure is required so this private IP can reach out to Meraki cloud and then it allows to build the auto vpn with HUB site.

3> Do both branch ports make the auto vpn tunnel with all the wan ports at hub site like branch Internet to HUB internet port, branch Internet to HUB MPLS, branch MPLS to HUB internet  and branch MPLS to HUB MPLS

 

It would be great if you can tell me about them as well.

Bruce
Head in the Cloud

Re: Meraki Design

1> Yes the MX will send the traffic to the default gateway configured for the WAN port, nothing else to do here - it will contact the registry.

2> The branch MX will need a connection to the internet. This could either be from your carriage provider with a NATed solution out of the MPLS WAN or by using a VPN concentrator setup at the head-end so that non-VPN traffic from the branch MX can go via the data centre and via another firewall/NAT to the internet.

3> If you have the branch MX configured to build VPN tunnels on both ports then it will try to build all the tunnels it can. Normally, however, there isn’t a path between the Internet and MPLS network that the tunnel can be established on, and so you only get MPLS to MPLS and Internet to Internet.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.