Meraki

Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SD-WAN and IP addresses

jim99
New here
‎Feb 27 2022 9:20 AM
‎Feb 27 2022 9:20 AM

SD-WAN and IP addresses

I have a number of sites with 2 x MXs on each. Each site has two Internet connections, which enter a switch through which they are shared between the MXs, so MX1 has WAN1 and WAN2, and MX2 likewise has WAN1 and WAN2 connections. The sites need to be set up to deliver load balancing auto-VPNs in a full mesdh....SD-WAN.

 

The devices delivering WAN1 and WAN2 are NAT-ing, so upstream of the WAN1 and WAN2 devices there is a public address on each WAN, while downstream (at the MXs), there is a private (RFC1918) address on the uplink for EACH MX. Both WAN1 and WAN2 devices have the capability to support multiple addresses, so for instance WAN1 supports private addresses a.b.c.1 and a.b.c.2,  and WAN2 supports private addresses x.y.z.1 and x.y.z.2 so unique private addresses are configured for each MX. I've shown this below.

 

Question is: do I need two public addresses, one for each MX at each WAN device (total 4) or can I rely upon NAT overload so one WAN address is NATed to two LAN addresses.

 

Alternatively, have I misunderstood the whole thing? I've been through the documentation and I'm just not happy I understand the requirements

 

Thanks

 

Jim

 

 

SD-WAN.JPG

Labels:
0 Kudos
3 Replies 3
KarstenI
Kind of a big deal
Kind of a big deal
‎Feb 27 2022 10:20 AM
‎Feb 27 2022 10:20 AM

I always prefer to have the public IPs on the MXes and I tell the customers to make sure the ISP provides at least a /29 subnet. But still, your scenario will work. I also have it running that way for sites where it is not possible to have public IPs for both MXes.

 

Do the sites use local internet? Then I would ask Meraki support to enable the NAT_Exemption feature. Then you can disable NAT on the MX and just put a static route on the perimeter devices to your internal subnet pointing to the MXes virtual IP.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 27 2022 11:07 AM
‎Feb 27 2022 11:07 AM

I would use a virtual IP (on for each Internet circuit) in that scenario to help improve recovery after a failure.

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair#Virtual... 

 

I would also use manual NAT traversal through to those virtual IPs if possible (so nat a specific port through to each MX).  This will allow the system to recover from a wider range of failures more quickly.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#NAT_Traversal 

0 Kudos
jim99
New here
‎Feb 27 2022 11:48 AM
‎Feb 27 2022 11:48 AM

Thank you both Karstenl and PhilipDAth for your reponses and help.

 

A couple of questions to clarify my understanding...Karstenl, if I understand you correctly, I will have a /29 public subnet available on each of the Internet access links, and each MX will take a public address from each WAN subnet as their port address. Have I understood you correctly?

 

PhilipDAth, you mention "Recovery after failure". I was planning to use a full mesh of auto-VPN load-balancing links, so while I can see the benefit of having vIPs when failing over, because there is no need to ARP for the IP address of the warm spare, I'm unclear if there is a benefit when there is already a running link if the other fails. I read your links (I went through them when trying to find the answer for myself) but given that I'm looking at a fully-configured SD-WAN, I don't understand the benefit...I am missing something

 

Thanks

 

Jim

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.