HI All,
We're switching ISPs and moving to an MPLS network, so decided to replace all of our old hardware at the same time. We'll have one datacenter with an Internet connection and another connection to the MPLS network. All other branches will only have an MPLS connection and share the Internet connection at the datacenter.
We plan on using MX64 devices at our branches and an MX84 at the datacenter.
I believe connecting the MPLS is easy enough to do with AutoVPN, but I'm not sure how I would go about sharing the internet connection.
I was going to use one WAN port on the MX84 for the MPLS and the other for our Internet connection, then just add static routes from the MPLS network to the internet.
Does this sound like a reasonable plan?
I'm new to the Meraki world and only recently received my demo MX64, but haven't really had a chance to play with it yet. So before I go ahead and order the equipment, I just want to make sure I'm on the right track.
Thanks,
Dave
This isn't a great use case for the MX.
The biggest issue is, today, you cannot disable NAT on the MX. So you're going to have to NAT your private IP space inside your now network at the branches. This also implies you're going to have to manage port forward rules at the branches for any traffic that needs to establish a connection in the to-branch direction. Of course, if you run everything inside of VPN tunnels then you can get around this.
Further, if your MPLS doesn't have Internet access then you cannot connect a WAN port of the MX84 at the DC to it. MX WAN ports require Internet access and will not forward traffic without it.
Meraki does have a recommended topology for what you're trying to do, it's just not really the best solution.
https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS
We have a similar configuration. Our MPLS circuits are setup as LAN and we just have a 0.0.0.0/0 route to send traffic to our colocation center which routes stuff to the internet. In the event we have a solid internet pipe at the site we route internet stuff out the normal WAN interface and selectively route private traffic to the MPLS. It isn't ideal but if you setup MPLS on the WAN connection it pass the traffic as the WAN/MX IP.
I've almost successfully deployed a full Meraki network over our MPLS / Single DC over the past year. Meraki now have no-nat mode which has been the icing on the cake. Previously we were getting around issues with 1:1 Nat with private addresses.
15.9 seems to be stable and is the latest no-nat image. no-nat allows the MX to run as a L3 router.
Regards,
Ben
@benny Yup, but here I don't usually suggest a pre-beta firmware and a beta feature as something someone should deploy into their prod networks. I've been testing the No-NAT myself and it's going to make so much stuff easier to do, but until Meraki gets it to at least a beta firmware it's a no go for me.
@jdsilva wrote:@benny Yup, but here I don't usually suggest a pre-beta firmware and a beta feature as something someone should dpeloy into their prod networks. I've been testing the No-NAT myself and it's going to make so much stuff easier to do, but until Meraki gets it to at least a beta firmware it's a no go for me.
I'm in the same boat for my networks. It's another one of the reasons I haven't looked more deeply into the Insight product yet since it still requires a beta firmware.
I would use the AutoVPN over MPLS design for your case.
https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS
As you role out each site you need to get the MPLS provider to change the address to be a "stub" range. This then plugs into the WAN port on the MX64. The main site subnet will move onto the MX64. The MX64 builds a VPN back to the MX84 at the DC, and connectivity to the subnet drops out their.
You then can easily install backup Internet circuits for MPLS/AutoVPN failover at select branches.
Note that with this design it is very important the the MX WAN interfaces plugged into the MPLS circuits can get to the Internet.