Meraki MX , Disable NAT On WAN For Private MPLS connectivity

Pwellion
Here to help

Meraki MX , Disable NAT On WAN For Private MPLS connectivity

Hi There

Looking to replace a customer who has a Pair of firewalls (Checkpoint) connecting into their MPLS WAN in an active/standby HA configuration. For reference these existing Checkpoints do very little part from some basic FW rules.

The Checkpoints are not NAT'ing traffic and are effectively acting as routers.

I need to ensure that a pair of Meraki  MX appliances operating in HA can replace the Checkpoints. I gather that:

 

1. I need to log a support ticket with Meraki for them to enable the NAT Exempt feature on WAN
2. Obviously need to ensure that the WAN subnet can communicate with Meraki Cloud

 

I've attached 2 diagrams. First Diagram has the Meraki with a transit LAN and the second has all internal VLAN Gateways terminating on the MX LAN. I assume both are supported and from what I gather there is only a requirement to configure IP addresses and VRRP VIP on the WAN links and just a singe IP per Subnet on the LAN side.

Is the WAN NAT Exemption fully supported (I'm a little dubious to recommend a solution that relies on having to ask support to enable such a basic feature)?
What are typical failover times (based on real world examples)


See attached options. 

Any feedback greatly appreciatedOption 1 - Transit LANOption 1 - Transit LANOption 2 - VLAN GWOption 2 - VLAN GW

4 Replies 4
Brash
Kind of a big deal
Kind of a big deal

Both options here should work. One advantage of using the MX for VLAN gateways is that you can filter inter VLAN traffic with firewall rules.

 

As for No-NAT, it's definitely a supported option which a lot of people use in MPLS environments. It's now an Early Access feature in the dashboard and so no longer requires a support ticket to enable.

Pwellion
Here to help

Great that's a relief. Any experience of failover times with regards to MX running in an HA pair. I've read various resources that indicate this is not always as smooth as expected?

 

 

Brash
Kind of a big deal
Kind of a big deal

I've only worked with HA pairs as VPN Concentrators in the datacenter and have never had an issue with failovers there.

One thing a lot of people overlook is that the timings for failover vary depending on the failure scenario.

In the event of a soft failure (outbound HTTP and ICMP tests fail but the physical link remains up), the failover time can take around 5 minutes.

In the event of a hard failure (the physical link goes down), the failover is pretty much immediate (<5 seconds).

Some resources that explain the difference are below.
 https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Fail...
Re: MX Circuit Failover timing - The Meraki Community

Pwellion
Here to help

Thanks, sorry on that note is there an option to configure inbound fw rules to control traffic from the wan/other private sites?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels