Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

New to Meraki - Make sure I order the proper gear

KerrDave
New here
‎Jun 21 2018 8:14 AM
‎Jun 21 2018 8:14 AM

New to Meraki - Make sure I order the proper gear

HI All,

 

 

We're switching ISPs and moving to an MPLS network, so decided to replace all of our old hardware at the same time.  We'll have one datacenter with an Internet connection and another connection to the MPLS network.  All other branches will only have an MPLS connection and share the Internet connection at the datacenter.

We plan on using MX64 devices at our branches and an MX84 at the datacenter.

I believe connecting the MPLS is easy enough to do with AutoVPN, but I'm not sure how I would go about sharing the internet connection.

I was going to use one WAN port on the MX84 for the MPLS and the other for our Internet connection, then just add static routes from the MPLS network to the internet.

Does this sound like a reasonable plan?

I'm new to the Meraki world and only recently received my demo MX64, but haven't really had a chance to play with it yet.  So before I go ahead and order the equipment, I just want to make sure I'm on the right track.

 

Thanks,

 

Dave

 

0 Kudos
Subscribe
6 Replies 6
jdsilva
Kind of a big deal
‎Jun 21 2018 8:20 AM
‎Jun 21 2018 8:20 AM

This isn't a great use case for the MX.

 

The biggest issue is, today, you cannot disable NAT on the MX. So you're going to have to NAT your private IP space inside your now network at the branches. This also implies you're going to have to manage port forward rules at the branches for any traffic that needs to establish a connection in the to-branch direction. Of course, if you run everything inside of VPN tunnels then you can get around this. 

 

Further, if your MPLS doesn't have Internet access then you cannot connect a WAN port of the MX84 at the DC to it. MX WAN ports require Internet access and will not forward traffic without it. 

 

Meraki does have a recommended topology for what you're trying to do, it's just not really the best solution.

 

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS

 

 

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
Subscribe
In response to jdsilva
Adam
Kind of a big deal
‎Jun 21 2018 10:30 AM
‎Jun 21 2018 10:30 AM

We have a similar configuration.  Our MPLS circuits are setup as LAN and we just have a 0.0.0.0/0 route to send traffic to our colocation center which routes stuff to the internet.  In the event we have a solid internet pipe at the site we route internet stuff out the normal WAN interface and selectively route private traffic to the MPLS. It isn't ideal but if you setup MPLS on the WAN connection it pass the traffic as the WAN/MX IP.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
Subscribe
In response to jdsilva
benny
Getting noticed
‎Jun 24 2018 8:29 PM
‎Jun 24 2018 8:29 PM

@jdsilva

 

I've almost successfully deployed a full Meraki network over our MPLS / Single DC over the past year. Meraki now have no-nat mode which has been the icing on the cake. Previously we were getting around issues with 1:1 Nat with private addresses. 

 

15.9 seems to be stable and is the latest no-nat image. no-nat allows the MX to run as a L3 router. 

 

Regards,

Ben

0 Kudos
Subscribe
In response to benny
jdsilva
Kind of a big deal
‎Jun 25 2018 6:52 AM
‎Jun 25 2018 6:52 AM

@benny Yup, but here I don't usually suggest a pre-beta firmware and a beta feature as something someone should deploy into their prod networks. I've been testing the No-NAT myself and it's going to make so much stuff easier to do, but until Meraki gets it to at least a beta firmware it's a no go for me. 

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
Subscribe
In response to jdsilva
Adam
Kind of a big deal
‎Jun 25 2018 7:30 AM
‎Jun 25 2018 7:30 AM

@jdsilva wrote:

@benny Yup, but here I don't usually suggest a pre-beta firmware and a beta feature as something someone should dpeloy into their prod networks. I've been testing the No-NAT myself and it's going to make so much stuff easier to do, but until Meraki gets it to at least a beta firmware it's a no go for me. 

I'm in the same boat for my networks.  It's another one of the reasons I haven't looked more deeply into the Insight product yet since it still requires a beta firmware. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 21 2018 1:24 PM
‎Jun 21 2018 1:24 PM

I would use the AutoVPN over MPLS design for your case.

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS

 

As you role out each site you need to get the MPLS provider to change the address to be a "stub" range. This then plugs into the WAN port on the MX64.  The main site subnet will move onto the MX64.  The MX64 builds a VPN back to the MX84 at the DC, and connectivity to the subnet drops out their.

 

You then can easily install backup Internet circuits for MPLS/AutoVPN failover at select branches.

 

Note that with this design it is very important the the MX WAN interfaces plugged into the MPLS circuits can get to the Internet.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.