Meraki

Community

SD-WAN & VPN

Holli69
Getting noticed
‎Feb 22 2023 1:21 PM
‎Feb 22 2023 1:21 PM

SD-WAN & VPN

Hi,

I've q question. We have a branch side with an MX95, WAN 1 is Fiber, WAN 2 is DSL, and in the Data Center an MX250-HA VPN-Concentrator. 

Because both are in different Organizations, we build a non-Meraki VPN-Tunnel from WAN 1 (MX95) to VPN-Concentrator(MX250-HA).

Everything works fine and the tunnel is stable, but what will happen, if WAN 1 will go offline?

The tunnel is not built over WAN 2 (DSL) in case of a connection loss of WAN 1 (failover), right?

WAN failover and fallback behavior are set to graceful.

Is the only possibility to build the tunnel in case of loss of connectivity of WAN 1 and failover to WAN 2 via dynamic DNS?

 

Labels:
0 Kudos
5 Replies 5
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Feb 22 2023 1:35 PM
‎Feb 22 2023 1:35 PM

Is there any specific reason why your branch is not a separate network within your Org? This would make your life a lot easier when it comes to using AutoVPN and all of its beauties.

 

If it really needs to be 3rd party VPN, https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover could prove useful for you.

In response to CptnCrnch
DarrenOC
Kind of a big deal
Kind of a big deal
‎Feb 22 2023 3:00 PM
‎Feb 22 2023 3:00 PM

I’m guessing they’re two separate Orgs because of the license constraints of not allowing mixed MX license types 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
Holli69
Getting noticed
‎Feb 22 2023 10:49 PM
‎Feb 22 2023 10:49 PM

@DarrenOC: Yes, you're right, we've two different License Types of the MX's, we've many org's, because each Org has it's own budget for IT equipment and licenses.

0 Kudos
In response to Holli69
cmr
Kind of a big deal
Kind of a big deal
‎Feb 23 2023 12:52 AM
‎Feb 23 2023 12:52 AM

@Holli69 if you change orgs to per device licensing then you can keep the budgets separate without needing separate orgs.  This still doesn't allow different levels of MX license (they all have to be either enterprise, advanced or sdwan plus).  Could that help?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 23 2023 10:54 AM
‎Feb 23 2023 10:54 AM

If WAN1 fails, the non-Meraki site to site VPN will go down.

 

If you want to make it bulletproof, create a transit VLAN at your data centre.  Add an MX for each organisation in VPN concentrator mode.  Then you can use AutoVPN within each org, and route between the organisations using a layer 3 gateway (such as the MX250, a layer 3 switch, etc).

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.