Solved! Go to solution.
I see. If you are dead set on swapping the vpn routers with MX you need to be content with static routing during the migration phase.
Since it does not look like you will be using the MX as a firewall i would deploy then in one armed consentrator mode, build a VPN tunnel to site B and do static routing.
When gear arrives at site B, deploy the MX in the same mode and make it a VPN hub as well. MX at site A and B will build Auto VPN between each other. Then you configure BGP and do EBGP between MX firewalls and FTD firewalls. That solves dynamic routing.
Edit: in case you can not give internet access from your firewall you can deploy the MX firewalls in routed mode, connect WAN to your ISP and create a link network vlan interface on your MX and terminate it on your FTD, then run EBGP on your MX Lan interface instead towards your FTD.
Honestly, i dont think you should go for a Meraki MX if you plan on keeping your current design with minimal changes.
1 - The WAN interface just needs to communicate with the meraki cloud. This can be done by assigning a public ip directly or a private IP through NAT. WAN to ISP for example.
1.1 - not sure what you are asking. The MX has 2 Wan interfaces. You can use both or either one.
1.2 - IPSEC is ok, but there is no support for dynamic routing across 3.party ipsec tunnels on the MX.
1.3 - MX does not support GRE tunnels on non wan interfaces. Just IPSEC and Auto vpn across the wan interface.
1.4 - one armed consentrator is normally used as a SD WAN hub. Unless you got more meraki MX firewalls at remote sites this is not what you are looking for.
Thanks @MartinLL
Not without more details.
Are you doing full stack meraki? Meaning AP, switch and MX in the end?
What is meraki replacing? Only the site connectivity routers, or the firewalls as well?
Also, traffic flow. Do i understand correctly?
Site B client > firewall inside > firwall subint to vpn router > site A router > firewall subint to vpn router > Site A inside ?
I see. If you are dead set on swapping the vpn routers with MX you need to be content with static routing during the migration phase.
Since it does not look like you will be using the MX as a firewall i would deploy then in one armed consentrator mode, build a VPN tunnel to site B and do static routing.
When gear arrives at site B, deploy the MX in the same mode and make it a VPN hub as well. MX at site A and B will build Auto VPN between each other. Then you configure BGP and do EBGP between MX firewalls and FTD firewalls. That solves dynamic routing.
Edit: in case you can not give internet access from your firewall you can deploy the MX firewalls in routed mode, connect WAN to your ISP and create a link network vlan interface on your MX and terminate it on your FTD, then run EBGP on your MX Lan interface instead towards your FTD.
It clarified and helped a lot.
I really appreciate your tips and time.
However, I still have some questions about the migration phase?
1 - Why should I use e-BGP and not OSPF? Would e-BGP with MX be more practical or is there no difference if I were to use OSPF? 2 - About the connections between SITE A and B using "one armed" (I'm studying the link below):
https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide#VLAN_and_Sta...
2.1 - We currently use a Tunnel with IP addresses from RFC 1918
2.1.1 - With Meraki, should I have a public IP on both ends, closing the ipsec tunnel only with the wan IP of router 890 (the ISP's IP that is configured in gi0/0/3 of the router), or should I have some other configuration?
I ask because I will have to undo the tunnels, apparently losing the configurations of the interfaces/subinterfaces that are directly connected.
I still have doubts about how the configuration will be in this trunk between site A and B, and how Meraki will have connectivity with the Router.
Please excuse my ignorance, but I really needed some light on this connection.
No problem.
This should answer your ospf question. There is quite a lot of limitations. Especially when it comes to route advertisement. BGP is more flexible.
You can do Auto vpn across rfc1918 space, but for that to work both site A and B MX must exit to the internet on the same public ip. But for it to work this interface MUST be connected to WAN.
If the ISP can provide an internet access for your WAN interfaces on each site i would do that. It just simplifies the setup.
If you want meraki sdwan you must terminate the vpn tunnels on the MX.
In all honesty it does not sound like MX was the correct option for your router replacements. I think you should rework the design to fit the meraki standard. Its hard to mold meraki into something that it was not ment to do.
Another option is to wait with the MX untill you get site B gear. You can deply everything else. Then when you are ready you can build your sdwan.
Yes! Thank you for the information and clarity in the details.
Yes! I will talk internally about when the MX for site B will arrive, because from what we discussed, it will simplify the configurations and architecture with BGP.
Both router B and router A have an internet address, but they are from different operators, so the addresses are also different. I believe that this will not matter. This IP address will be configured on the Meraki WAN interface for connection to the cloud, and then I will configure the BGP on the Firewall to redistribute the routes and connect between the sites.
I will think a little more about this topic, because it is not that simple and I did not draw it, I am following the project of another engineer who has already left the company.
Thank you very much!!!
Personally, I would wait till you can do both sites at the same time. Much less complexity and risk.