Meraki

Community

Questions on Meraki MX traffic steering

beta-389-user
Getting noticed
‎Oct 17 2024 9:04 AM
‎Oct 17 2024 9:04 AM

Questions on Meraki MX traffic steering

have questions for our new Meraki proposed setup with Enterprise License, and would want to know your experience with those regarding below questions

1. Can we connect internet and MPLS lines on single or dual MX?

2. If we have two internet lines, can we use FQDN based traffic steering to route certain traffic via the primary link and other traffic via the secondary? 3. If we use ZScaler as our SSE, can we specify whether Zscaler traffic should flow over the primary or secondary internet line only? 4. Does routed mode on Meraki imply that it is internet facing, or can it be behind firewall or router and still be in routed mode?

0 Kudos
2 Replies 2
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Oct 17 2024 1:24 PM
‎Oct 17 2024 1:24 PM

I will have a go at a few of your questions:
1) There is not difference when connecting a single or dual MX.  However each MX uses up an IP address and if you want better failover times you must use a 3rd vIP.  So if these are private IP's then no problem but if you use a public subnet you need to allocate at least a /29 to get by.
2) On an enterprise license for local breakout you can only use IP and port information for your uplink preferences.  SD-WAN traffic can use application recognition.
3) If  you are tunneling towards a non Meraki solution for internet breakout you will only be able to use a non-Meraki VPN and this will only use the primary uplink and failover to a secondary if the primary fails.  However the upstream device needs to be able to account for the different IP to build the other VPN.
4) Routed mode means it routes traffic from the LAN ports to the WAN ports and does NAT the source IP.  So there can be another firewall in front or it can be directly internet facing.

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 17 2024 1:27 PM
‎Oct 17 2024 1:27 PM

>1. Can we connect internet and MPLS lines on a single or dual MX?

 

Yes, but extra consideration needs to be given to this configuration.  One special thing to note is that the MX always requires access to the Internet via a WAN port.

Sample configurations:

https://documentation.meraki.com/MX/Networks_and_Routing/Integrating_an_MPLS_Connection_on_the_MX_LA...

https://documentation.meraki.com/MX/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS

 

>2. If we have two internet lines, can we use FQDN based traffic steering to route certain traffic via the primary link and other traffic via the secondary?

 

On an enterprise licence, no.  You can only do it IP address.

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

 

I *think*, not sure, that an Enterprise licence might be able to do category based flows.  Most customers buy Advanced Security licences (one up from Enterprise), so I don't have much exposure to the the reduced Enterprise feature set.

 

PhilipDAth_1-1729196609083.png

 

 

An SD-WAN Plus licence let you route via "major" application.

PhilipDAth_0-1729196488191.png

 

>3. If we use ZScaler as our SSE, can we specify whether Zscaler traffic should flow over the primary or secondary internet line only?

 

I guess so.  It will use whatever you have configured as the primary circuit.  With Zscaler you have to use tag based failover to have a backup circit configured.  Typically this configuration requires 100% of all traffic to go to Zscaler - so the above exemptions don't apply.

https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover

 

Is there any reason you are not considering Cisco Umbrella?  Like Zscaller, but has really nice native integration, in many different ways.

 

>4. Does routed mode on Meraki imply that it is internet facing, or can it be behind a firewall or router and still be in routed mode?

 

It can sit behind another device.  Note that in routed mode that all traffic (at least by default) is NATed was it passes through its WAN interface to the WAN interface IP address.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.