Meraki and VPLS

Twitch
Building a reputation

Meraki and VPLS

Hello to the Crew - I have a question regarding implementing VPLS with Meraki devices. I have very limited knowledge of VPLS, and materials seem to be sparse, though I am finding some on the Cisco sites, but articles specific to Meraki implementation are few and far between.

 

We are transitioning our connectivity between remote sites to VPLS in the very near future. Our current environment runs an MX at each site along with MS switches. My understanding is VPLS is a layer 2 technology that utilizes MAC address translation to determine network paths, basically a layer 2 WAN if I am understanding it correctly. 

 

What typically is done Meraki-wise to configure the VPLS interface? Is there any specific configuration, port settings, etc., that are required? I do not yet have specifics from our VPLS service provider. I'm just trying to get ahead of the curve, so to speak. 

 

If anyone has info, or links to material, I would be grateful. 

 

Thanks!

 

Twitch

7 REPLIES 7
GreenMan
Meraki Employee

Meraki generally, and MX specifically for this, are pretty agnostic towards the underlying network over which they communicate.   The key questions to ask are:
How can my Meraki devices connect to the network?   In most cases we're generally talking RJ-45 ethernet, though other form factors, such as ethernet over fibre could well be applicable, for more powerful MX models.   How is your VPLS presented?

Will my underlying network carry IP traffic?   (VPLS is, I think, agnostic as to the layer-3 you use;   you probably wouldn't, but you could, theoretically use IPX over it too!?)

Can my Meraki devices access the Internet over it?   Meraki is a cloud service, you need to be able to reach all the necessary cloud resources.   For VPLS that would probably mean - does one or more of my sites have an Internet break-out and how do I ensure my meraki devices can reach it?   That probably means some routing between your VPLS termination and a perimeter firewall (which will need the right rules).   'Internet' also includes access to public DNS, to resolve Meraki domains and similar.

Hope this helps

PhilipDAth
Kind of a big deal

If you are using AutoVPN at the moment and want to keep using it, then the MPLS setup instructions apply.

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS 

 

One special note - make sure all the VPLS notes connected to the Internet via a single public IP so that the cloud knows that they are all on one private network.

cmr
Kind of a big deal
Kind of a big deal

We run our Meraki SD-WAN with one MPLS WAN and one VPLS WAN, as @PhilipDAth said, make sure that the Meraki cloud sees all of the MXs as coming from the same IP and it will work fine. 

 

VPLS is effectively the same as MPLS without needing to keep asking the carrier to change settings etc. as you control it all 😈.  You can also easily use NO-NAT on the MXs with VPLS due to the transparent nature of it

 

In our experience the latency and stability is better so we are currently replacing the MPLS WAN with a second VPLS WAN and I don't see a future for MPLS.

Twitch
Building a reputation

Thanks everyone for the replies. I have a question regarding the single IP address - we have multiple locations in several states that will be connected to the VPLS service. Traffic from the remote sites will be traveling through our main location in Virginia to reach the Internet. Is it safe to assume that our public IP at our main office will become the IP of all Meraki devices as it relates to the Meraki cloud? 

 

I have zero experience with MPLS and VPLS, so I am playing a game of catch-up in terms of understanding the technology and what needs to be done on our end to make this transition to VPLS go smoothly, so I appreciate your advice very much. 

 

Thanks, guys. Have a great day.


Twitch 

cmr
Kind of a big deal
Kind of a big deal

@Twitch If the WAN traffic from other states goes through to the Virginia site and then to the internet then, yes, it should all be on the same IP unless the firewalls at the Virginia site are programmed to put it on a different IP.  Easiest way to check is to go to http://time.org from each site and it will tell you the IP it thinks you are coming from.

Twitch
Building a reputation

Thanks @cmr. Considering that our Internet edge is effectively moving to our Virginia location, would it even be necessary for us to maintain MXs at each of our remote locations, or could we just run switches alone there? 

 

I'm still not clear about how the VPLS service will terminate into our equipment with regard to port type - will it need an Internet port (in which case we would need to keep our MXs), or can it terminate into a standard switch port since VPLS is Layer 2 aware and does not use Layer 3? That is, if I'm understanding it correctly...

 

If I'm able to reclaim those MXs from the remote sites, then I can implement MX failover at other sites since I will have gained redundant MXs. 

cmr
Kind of a big deal
Kind of a big deal

@Twitch whilst it is true that VPLS is effectively layer 2, so you could have just switching, this would mean that your broadcast domain spanned all your sites and the switches would need to perform spanning tree negotiations etc, across all sites. 

 

We have MX HA pairs at each site and their WAN ports can directly see each other.  As we have two WANs we can load balance across the two links.  If you had a switch at each site, you *could* use LACP to bond two ports (VPLS WANs) together but I think this would be a horrible mess if and when there was any congestion or packet loss etc.

 

In short, I wouldn't get rid of the MX at each site just yet.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels