Meraki

Community

Meraki MX - No NAT - MPLS

MatthewHarrison
Comes here often
‎May 19 2021 4:06 AM
‎May 19 2021 4:06 AM

Meraki MX - No NAT - MPLS

Hi, so at the moment we have multiple sites connected via MPLS, this is the only internet connection at each of the sites. We have the provider router in place, then our Meraki MX's in pass-through mode, so all they are doing at the moment is IDS/IPS, Content filtering, etc.

 

We are looking at having a backup connection, not provided by the same company our MPLS is provided by, we want to put the MX in routed mode, turn on No-Nat and use the MX as the gateway for each of the sites so that we can have both connections on the MX and it can do failover for us.

 

I have already got Meraki to enable No-Nat on the MX's and updated to the correct firmware, just trying to check my thought process really.

 

Not actual IP's below.

 

Site 1 - 192.168.1.0/24

 

Site 1 - Router - 192.168.1.1

Site 1 - MX - 192.168.1.241

 

I'm expecting that if I turn on routed mode, and No-Nat without changing anything on the router, I should only be able to see the router and the MX from another site, and nothing else behind the MX,

 

If I want that to work I would need a static route, on the router, I believe.

 

So the route should be - 192.168.1.0 255.255.255.0 192.168.1.241 - Correct?

 

With that route in place, I shouldn't need anything else I believe, I will be able to access resources on both sites each way?

 

Just want to check I'm not missing anything, and nothing else needs to be on the MX?

 

Another quick question, the MX has the IP of 192.168.1.241, there is also an option in MX Addressing and VLAN's, we want the VLAN's option enabled, but for now, we are only going to have one VLAN's, I'm right in thinking the IP for "MX IP" needs to be different to the main IP of the MX?

 

Any input would be great, just don't want to miss something stupid.

 

Many Thanks

 

Matt

0 Kudos
3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 19 2021 2:18 PM
‎May 19 2021 2:18 PM

What you are describing does not require no-nat mode.  You are simply plugging in the MX and MPLS router in the same subnet (the MPLS router would plug into a LAN port on the MX).  You would then use the MX as your default gateway, and plug an Internet circuit into a WAN port on the MX and use AutoVPN for failover.

You would use a tracked static route pointing to the MPLS router, so that it is the primary.

 

What you are describing is almost this scenario.

https://documentation.meraki.com/MX/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN 

That could use no-nat mode.  In the example above, the MPLS router is put on a separate stub to the MX via a VLAN.

In response to PhilipDAth
MatthewHarrison
Comes here often
‎May 24 2021 1:21 AM
‎May 24 2021 1:21 AM

I went ahead a set up the Meraki MX like this, we use the MPLS connection as our primary connection, so I added a static route for 0.0.0.0/0 pointing to the MPLS router.

 

I don't believe this is a setup that is supported by Meraki.

 

We began having routing issues, PC's thinking they arent connected to the internet, etc.

 

Any experience with a setup like that? Is it supported?

 

 

0 Kudos
Bruce
Kind of a big deal
‎May 19 2021 2:19 PM
‎May 19 2021 2:19 PM

You’re going to have to do a bit of network re-architecting to move from passthrough mode to routed mode, even if you’ve enabled no-NAT. 

First of all your MX is going to need a minimum of two IP addresses, one on the WAN port and one for the LAN (and if you use multiple VLANs, another one for each of them too).

 

I very much doubt the route you suggest will have the desired result, in fact the router may well reject it. The router believes that the entire 192.168.1.0/24 subnet is directly attached to it since it has the address 192.168.1.1 with a mask 255.255.255.0 (i.e /24), it’s route table will have this as a directly connected route so it will take precedence over all others.

 

My approach would be to put a new subnet, a /29 (so you can do MX HA in the future if you want), between the router and the MX and move the 192.168.1.1 onto the LAN of the MX.

 

Alternatively, if you can make do with a /25 on your LAN you could carve a /29 out of your current /24 between the router and MX, and use the /25 on the MX. This might be easier if you don’t have control over the MPLS routing, or if it’s hard to change (the /24 still points to the site on the MPLS network, then you use 192.168.1.128/29 between the router and MX, and 192.168.1.0/25 on the MX LAN).

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.