Is there any best practice configuration guide for NAT Mode VPN Concentrator?
I need to use it in split-tunnel mode.
What I understand I can only use static routing (not OSPF or BGP) to announce LAN subnets to the hub for nat mode concentrator, I plan to configure the hub as being a Default route.
Hi @UmutYasar the official documentation is here https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide and note that you can actually run OSPF route advertisement out of the MX VPN concentrator when it's running in NAT/Routed mode. Note that it will only advertise the routes (as external type 2) and will not learn routes. It's basically to take all of the remote site routes in the AutoVPN domain and advertise them into an OSPF area. Note that if you are doing OSPF route advertisement out of the NAT mode concentrator you do need to have VLANs disabled, in NAT/Routed mode it's either VLANs or OSPF.
Thanks for your reply. I saw this document. But in my deployment, I need to connect NAT mode vpn concentrator(that's in head office) directly to the internet with 2 uplinks (without core router, sw, or firewall). I want to connect it to a lan switch but to form HA pair only (not for connecting lan devices, I'll move lan devices later from mpls ce router to the meraki vpn concentrator). I need to connect meraki mx to an mpls CE router, to reach DC servers (located in mpls cloud). I need to use static routing on vpn hub to reach dc servers via mpls ce router, since Meraki does not support dynamic routing with another router. Or put a middle router to speak dynamic with the mpls ce and speak static with meraki vpn concentrator.
I need meraki spokes to reach DC servers through auto-vpn via vpn concentrator but go to internet for rest via spli tunnel. After that we will move all sites from mpls routers to meraki routers. This is a temp design until servers will move to the cloud. After that all sites will use internet, we'll disable auto-vpn.
What do you think, Is it applicable, do you see any problem or any recommendation? Is there any guide for this kind of hub deployment?
If I understand correctly then I believe what you are doing should work. Use a static route on the MX to the MPLS CE router (the MPLS CE router will need the reverse route), you will also need to include the static route into the AutoVPN so that the remote sites learn of it (i.e. 'VPN on' under VPN participation).
When you deploy the branch (spoke) sites you make sure the Default Route check box is clear in the Site-to-Site VPN configuration, and the site's Local Network is set to 'VPN on' for the VPN participation. This way for IP routes that are advertised over the AutoVPN the traffic will be tunnelled to your concentrator, for all unknown routes the traffic will be NATed by the MX and sent to the internet.
When you move fully to the cloud you could still use the Auto-VPN between sites, and quite possibly also to the cloud service, although that depends on whether you're moving to an IaaS or SaaS cloud offering.
EDIT: if you're doing a redundant pair of MXs then you would be best off connecting the CE MPLS router to the switch, otherwise losing an MX could potentially mean you lose the connection to the DC. That said, the switch then becomes the single point of failure, so I suggest you give some thought to what you are trying to achieve with redundant MX appliances, and what your failure scenarios are.
Thank you for your reply and recommendations. MPLS CE already connected to lan switch in production. LAN devices on switch reaching DC servers via MPLS CE. I want to connect 2*meraki mx to the switch(stack) as well for HA, and another link to connect mpls router for routing. And at some point, I'll need to move LAN switch from MPLS CE to Meraki MX and use MPLS CE only for a gateway to the MPLS (DC servers). I think what you're saying is keep meraki mx as a primary gw and mpls ce as secondary gw for head office devices connected to LAN switch (keep lan sw connected to both meraki mx and mpls ce), seems a good idea. Am I correct?
@UmutYasar With the two MX appliances you connect both to two different switches in a stack, see the bottom diagram on this page, https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair - just make sure the switches are running spanning-tree (STP). With the routing I would put the MPLS CE connection into its own VLAN and have the gateway for this VLAN on the MX appliances, that way you can keep all the routing into and out of the site on the MX appliances (especially if you plan to move away from the MPLS eventually). The routing between the MX and MPLS CE will be static.
As you say, the MX becomes the primary gateway for the site, and since it has a route to the MPLS CE, will route traffic there when required. Although the MPLS CE will remain physically connected to the LAN switch, logically it will be directly connected to the MX device. The only thing to be aware of here is the throughput to the MPLS CE, since its all running though the MX you need to make sure you are within the spec's of the MX device. Do you know what the throughput on the MPLS is, and what MX device do you have?
Yes, I plan to configure a separate VLAN interface for the MX and MPLS CE connection and have a static route on mx for DC subnet pointing to MPLS CE. I think you're meaning the switch to MX connection here, yes I'll configure this connection on the MPLS CE vlan (same vlan that LAN devices use) and change their GW to this new vlan interface on MX. Them the lan devices will go to mx then mpls ce router to reach the dc servers.
The throughput on the MX should be fine, it's FW throughput is 4G and VPN throughput is 1G. But MPLS throughput possible to be increased since it will be the new gw for the Meraki sites.
Sounds like you are on the right track with head office. As you move the branch (spoke) sites over to the Meraki MX (Auto VPN) you'll most likely need to get your MPLS provider to update their routing. You'll need to make sure that the return route from the DC to the branch (spoke) is via the head office site, otherwise the traffic won't be able to get back to the head office MX and into the Auto VPN. You'll have to work with your MPLS provider on this one, hopefully its just updating the MPLS CE at the head office (and maybe the spoke), if they support dynamic routing you may be able to do it with the OSPF integration that @MerakiDave mentioned.
Yes, return traffic from DC will go from MPLS CE, the provider needs to update this route. I may not do with ospf from mx because Bruce said it's either vlans or ospf on nat mode concentrator, I may need VLANs.
Also, he's saying it will not learn routes, that it'll not learn DC servers subnet from MPLS CE router via OSPF. But I can advertise routes to MPLS ce via ospf and configure a static route to the mpls ce for the DC servers. I'll consider this if they support dynamic routing.
Hi @MerakiDave, Can I run BGP route advertisement out of the MX VPN concentrator when it's running in NAT/Routed mode? Can it take all of the remote site routes in the AutoVPN domain via IBGP and advertise them to EBGP neighbor (MPLC CE router)? I read in routed mode EBGP is not supported.
@UmutYasar Unfortunately the BGP integration is only available when running the MX in VPN concentrator mode. But it does work as you say - it runs iBGP across the AutoVPN, and then eBGP to another device (e.g. your MPLS router), exchanging routes in both directions.
@UmutYasar there actually is a way to run BGP out of the MX VPN Concentrator when it's running in NAT/Routed mode, however it would need to be enabled via Meraki Support and would be considered an exception, as the MX would essentially be acting as a 2-armed VPN Concentrator then. There isn't anything in the Dashboard UI to be able to configure it. I would suggest going over the design options with your Meraki SE to come up with the plan forward for this one. Perhaps this is the config you'll end up with but it might be considered beta, may or may not ever be more than beta, so best to work with your local Meraki team to engage with the product team for input.
@MerakiDave ISP said that they use BGP for MPLS. What is the disadvantage of a 2-armed VPN Concentrator? Can I still use L7 Firewall functions for this Mode? What do I need to sacrifice from? I guess I will need to disable VLAN, what else, do you know?