Network Backup config

Solved
Masterlure
New here

Network Backup config

Good morning, I comment the scenario we have. Currently we have two networks, in one organization. The main firewalls are configured a couple of IPSec tunnels and we would like to replicate the same in the other network. The purpose we are looking for is to be able to move the traffic to the other firewalls in case the main line with the ISP goes down. 

 

1 Accepted Solution
rhbirkelund
Kind of a big deal
Kind of a big deal

You can control the Non-Meraki VPN by using Network tags.

From the Meraki point of view You'd only have to configure one VPN, as this configuration will be replicated to all MXes.

Using Network Tags you can then control that the VPN should only be available on the Combined Network. In the case that connectivity is lost on the Combined Network, you can move the Network tag to the SDWAN network. This will result in the VPN then being available on this MX.

However, this would have to be a manual task, since there is no mechanic to move this connection automatically. Perhaps you could use a API by writing a script that will monitor internet connectivity on the combined network. In case that fails the script would then remove the network tag, and in turn add the tag to the SDWAN network.

 

On the ISP router point of view, you'll have to create two VPN profiles; one for the Combined Network MX, and one for the SDWAN MX.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

View solution in original post

5 Replies 5
Masterlure
New here

now_topology.jpgtopology.jpgbackup_topology.JPG

rhbirkelund
Kind of a big deal
Kind of a big deal

You can control the Non-Meraki VPN by using Network tags.

From the Meraki point of view You'd only have to configure one VPN, as this configuration will be replicated to all MXes.

Using Network Tags you can then control that the VPN should only be available on the Combined Network. In the case that connectivity is lost on the Combined Network, you can move the Network tag to the SDWAN network. This will result in the VPN then being available on this MX.

However, this would have to be a manual task, since there is no mechanic to move this connection automatically. Perhaps you could use a API by writing a script that will monitor internet connectivity on the combined network. In case that fails the script would then remove the network tag, and in turn add the tag to the SDWAN network.

 

On the ISP router point of view, you'll have to create two VPN profiles; one for the Combined Network MX, and one for the SDWAN MX.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
PhilipDAth
Kind of a big deal
Kind of a big deal

PhilipDAth
Kind of a big deal
Kind of a big deal

ps. If you want to make this really simple, setup a warm spare MX at the same location and use a VIP.  The VPN can then automatically failover between MXs.  You'll need an Internet circuit with a minimum of a /29 to accomodate this.

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

 

Masterlure
New here

I'm going to test the IPSec tag based failover, I think that is the easiest solution.

Thank  your for your help!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels