SD-WAN Design Question


SD-WAN Design Question

I'm trying to wrap my head around routing with SD-WAN implemented. I'm going to request a free trial but before I do so I want to make sure that I have a design so I can hit the road running.


I currently have a branch office that has it's own internet connection and it has a corporate MPLS connection. The site has less than 10 users so I would be putting an MX64 there. The internet will plug into one port and the MPLS handoff from the router will plug into the other. No issues there.


Lets move to HQ/Data Center where the bigger concentrator will live. I'm thinking the MX100 which will terminate all the VPN connections from the branch offices. So I get this my MX100 will need to have a public IP address to be able to terminate the VPN tunnels over the internet but my questions revolve around routing on the MPLS. Right now my HQ is learning the routes for all my branch offices via OSPF. Envision this. A users at the branch office is destined for a file server at HQ and the path that is taken is over the MPLS through the MX64. It makes it to HQ via the MPLS and comes out of the MX100. The packet makes it to the file server. The File server responds but routing sends the response to the MPLS router in HQ instead of the MX100. I think of a solution that will fix this asymmetrical routing. Does the MX device in HQ participate in OSPF?

4 Replies 4
Here to help

 I can't directly answer your question - but I can tell you something about how I've handled my setup in the past.  The MPLS we had here was all administered by the provider, I didn't have any access to their routers, and I didn't have my MX appliances participate in the OSPF / whatever decision making process they had going on.


What I did was put in a static route for each of my remote subnets - so at corporate I'd put in a route on the MX that said send all traffic bound for office #1 to the MPLS router as long as a host is available, then I'd give the IP of the MPLS gateway at the remote site.  Next do the reverse at the remote site, tell that MX to route traffic to corporate via the MPLS router unless a host is down.  Make sure site to site VPN is setup - Then, if the MPLS would fail, the MXs would automatically fail over to the site to site  VPN. We only had about 8 sites to deal with, so this was pretty manageable.  


This setup kept the 'corporate' traffic using the MPLS and internet traffic could use the local ISP at leach office.  


Eventually, we moved away from using MPLS at all, and now just have dual ISPs at each office and let the MX appliances fail back and forth as needed.  You can put traffic shaping rules in there to have it prioritize 'corporate' traffic over say the fiber and only use the cable modem if the fiber is offline.  



Kind of a big deal
Kind of a big deal

If you are just doing a trial, I would run with the static route like @MarkW.


Here are some Meraki Design Guides.


The first is using AutoVPN for failover only.  The MPLS is just routed over.


The second (and my preferred solution), AutoVPN is run over both MPLS and the Internet, and you can use both paths at the same time if desired (thanks to SDN).


Sounds like we have the same setup.  My MPLS network is small, only about 6 sites.  The MPLS is provided by Verizon however I do have access to the router Verizon puts on site.  That router is also the default gateway for my voice and data vlan.  So if you can imagine, my topology is  MPLS Router -> Meraki Switch -> User device.  Would my MX sit in between the MPLS Router and the Meraki Switch.  If so I would need to change the default gateway of the user it points to the MX device.  

Correct, @getnyce32 - Put the MX in place, add routes to it so it knows how to get to the MPLS Gateway and remote subnets, then point your desktop to the MX as your default gateway.  Hopefully you also have a 2nd Internet Line for the MX  all local traffic to the internet and / or VPN failvoer if the MPLS goes down.


The routes you put in have options to check up/down status of another device, and if the remote device is down fail over to the VPN.   The documents that @PhilipDAth linked have details on that setup.   I used this for quite a while, and it worked great once I got it setup.  



Get notified when there are additional replies to this discussion.