SD WAN Scenario

SOLVED
RobC
Here to help

SD WAN Scenario

Hello Meraki Gurus,

 

Thinking about implementing MX series for one our customers. I just wanted to share with the community their use case and make sure that everything will work as planned.

 

Customer has a 5 sites on a MPLS network, the plan is to reduce the BW on the MPLS links to bring cost downs and use it only for Voice Traffic and other High Priority Applications (No internet access via this network, just static routes to other sites) while deploying more cost efficient Internet links for everything else. Question is:

 

* Can we terminate the MPLS and Internet Links directly on the MX appliances and use the Internet link and Auto Mesh functionality as Backup should the WAN fails? I.E can the MPLS subnets be routed over the Internet link during an outage situation?

 

Regards.   

1 ACCEPTED SOLUTION
AlexP
Meraki Employee
Meraki Employee

Hey Rob,

 

If I'm understanding your description correctly, it doesn't sound like it - if you have internal subnets you're trying to route like that, connecting to a WAN port on the MX won't work, as we NAT that traffic. I think it's more likely want to set up something along these lines: https://documentation.meraki.com/MX-Z/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN

View solution in original post

9 REPLIES 9
AlexP
Meraki Employee
Meraki Employee

Hey Rob,

 

If I'm understanding your description correctly, it doesn't sound like it - if you have internal subnets you're trying to route like that, connecting to a WAN port on the MX won't work, as we NAT that traffic. I think it's more likely want to set up something along these lines: https://documentation.meraki.com/MX-Z/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN

RobC
Here to help

Thanks Alex, 

That doc certainly helps in grasping why the MPLS cannot be connected to the wan interface. 

Thibaut
Conversationalist

You can put the MPLS on the WAN interface.

We have our MX with one MPLS and one Internet line in our stations. The MX creates a VPN on each interface and we have SDWAN functionnalities for MPLS and Internet use (MPLS used in primary for our applications in our datacenter and failover on the Internet line with the VPN). Actually, the MX has 2 VPN tunnels, one on the MPLS and one on the Internet., it's how the MX works.

Hello,

I'm questionning about several things on this SD-WAN configuration for your MX:

1- On its MPLS WAN port, the MX seems to directly act as an MPLS CE (Customer Equipment) in front of the PE from the MPLS carrier, right ?

2-if yes, what are the possible protocols that MX can run in such case: BGP, OSPF, another? What have you programmed here with your MPLS partner/carrier?

3- In the case of MPLS, MX still needs an Inernet breakout to establish its AutoVPN. How did you create this Internet breakout while some carriers really block any Internet breakout to their MPLS? Is that something you questionned before installing your MX and taking your provider?

Thanks!

AlexP
Meraki Employee
Meraki Employee

No, we cannot directly act as a CE device - you'll still need another router to act in such a capacity, as we cannot handle labelled traffic.

 

Auto-VPN would still have to be done on a circuit that offers some level of Internet access, yes. The topology scenario I linked actually has the MPLS connection terminating on the LAN side, not the WAN.

Thanks for the reply, very helpful

two more questions going with it :

q1:you said that the MX "cannot handle labelled traffic" directly with as an MPLS CE connecting to a provider PE.

The Dashboard offers the possibility to make Traffic shaping rules with DSCP tagging for some traffic we can define, which is the natural way MPLS tags/prioritize the packets.

Does this marking will be passed to the CE device (and vice-versa) and be interpreted end to end?

 

q2: you said "Auto-VPN would still have to be done on a circuit that offers some level of Internet access.The topology scenario I linked actually has the MPLS connection terminating on the LAN side, not the WAN." which is fine.

Actually, if it your topology terminated to the WAN (and not to the LAN side), how can you organize to get this MPLS have an exit to internet: do you know if we can add a device (fw) and how to program it ? is that a Meraki device we could add in the WAN after a CE router?

 

I'm pretty sure Auto-VPN (and SD-WAN) will work fine on an MPLS link.

 

I think Alex's reference to "labelled traffic" means the MX won't run MPLS tagging - but from a typical customer perspective, any Ethernet-delivered IP circuit should be fine.

 

The MX can now run BGP, but in a "pure" Auto-VPN / SD-WAN environment there's no need as all the routing is done via the tunnels - the MX just uses the WAN IP address for connectivity, so only needs a static route to the PE.

RobC
Here to help

Auto-VPN would still have to be done on a circuit that offers some level of Internet access

So leaving the backup scenario aside. Does this mean that even if an MX has Internet access via one of its WAN interfaces it still needs to be able to reach the Internet via the interface connected to the MPLS in order to stablish the Auto VPN Tunnel? 

We have a similar scenario with no Internet access on the MPLS circuit, so no way to communicate with the VPN registry. We were thinking of an L3 device between the MX and MPLS circuit to route non-tunneled traffic back through the LAN interface of the MX for Internet connectivity. Is this how you accomplished your deployment, or do you have Internet access on your MPLS circuit? 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels