Routing RFC 1918 addresses

SOLVED
steakandeggs
Here to help

Routing RFC 1918 addresses

We've got a private circuit coming into a location and I'd like to know if anyone has experience routing traffic with an MX in such a situation. Does it work like a router works? It would be static routes. Currently it is served by a Cisco 2911. Replacing the 2911 with a pair of MX85's.

 

Sample topology

 

Internet --- metro e rtr 10.1.1.1 --- 10.1.1.2 MX85 10.3.1.1 --- LAN

 

This would be a temporary situation as we're converting to DIA fiber soon. 

 

Twist: There is a backup LTE connection that would go into one of the MX85's. We'd do an IPSec third party VPN tunnel over this connection. I see no reason why that couldn't serve as backup, but maybe there are some limitations to the MX I'm not considering here.

1 ACCEPTED SOLUTION
Brash
Kind of a big deal
Kind of a big deal

You can do routed mode with No NAT, but it requires Meraki support to enable it on your dashboard.

Once the feature is enabled on the dashboard, NAT bypass can be enabled on a per WAN interface or per vlan basis.

View solution in original post

9 REPLIES 9
alemabrahao
Kind of a big deal
Kind of a big deal

@steakandeggs , yes It works like a router, the only difference is that the Nat mode is automatic on the MX.

 

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/....

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Can you disable NAT?  Can i have one WAN interface routing with no NAT enabled, and a second WAN interface routing with NAT enabled?

MX has two Deployment Options (Routed (NAT) Mode and Passthrough/VPN Concentrator Mode)

 

Routed (NAT) Mode
Routed mode on a Cisco Meraki MX is best used when the security appliance will be connecting directly to your internet demarcation point. When this is the case, the MX will have a public IP address that is issued by the internet service provider. The MX will also be the device handling the routing for clients to the internet, and any other networks configured for the device to communicate to.  This mode is optimal for networking environments that require a security appliance with Layer 3 networking capabilities.

 

NAT Mode Considerations
A Cisco Meraki MX security appliance operating in NAT mode is best deployed when its WAN connection is directly connected to the ISP handoff
An MX can operate in NAT mode if it is behind another Layer 3 device that is also performing NAT, but you may run into complications with Meraki cloud connectivity, as well as some features such as Meraki Auto VPN


Passthrough/VPN Concentrator Mode
Passthrough mode on a Cisco Meraki MX configures the appliance as a Layer 2 bridge for the network.  The MX in this mode will not perform any routing or any network translations for clients on the network.  Passthrough/Concentrator Mode is best used when there is an existing Layer 3 device upstream handling network routing functions.  The MX in this instance would still act as a security appliance, but with less functionality for Layer 3 networking.

The recommended use case for the MX security appliance in passthrough mode is when it is acting as a VPN Concentrator for the Cisco Meraki Auto VPN feature.  Passthrough/VPN Concentrator mode ensures easy integration into an existing network that may already have layer 3 functionality and edge security in place.  With this mode, a Cisco Meraki MX security appliance can be integrated into the existing topology and allow for seamless site to site communication with minimal configuration needed.

 

Passthrough/VPN Concentrator Considerations
The Cisco Meraki MX will not perform layer functions such as NAT or routing.
An MX in passthrough/VPN concentrator mode will act as a layer 2 firewall that will integrate into the existing LAN with a layer 3 routing appliance upstream.
VPN destined traffic will need to be directed to the MX security appliance for effective routing to the VPN endpoint. As such, static routes on other Layer 3 capable devices may be needed for full VPN functionality.
MX appliances in passthrough are able to allow IPv6 traffic to pass across the existing LAN if the traffic flows through the MX.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Brash
Kind of a big deal
Kind of a big deal

You can do routed mode with No NAT, but it requires Meraki support to enable it on your dashboard.

Once the feature is enabled on the dashboard, NAT bypass can be enabled on a per WAN interface or per vlan basis.

Thanks @Brash ! In your experience, is this a stable configuration? Sounds like I'd only want to do it if I really need it.

I'm using that feature for more than a year and haven't experienced problems with it so far.

I've used NO-NAT a lot with no issues.  You can't use it with client VPN - that is the only gotcha I know of.

Brash
Kind of a big deal
Kind of a big deal

I'm using it at one of my sites and It's been perfectly stable for me. It's just a bit of a 'non traditional' deployment type.

One caveat: LAN interfaces will not do DHCP relay to subnets not on the LAN. Which is fine because your DHCP server/s should usually never be anywhere else. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels