SD-WAN design - Internet + MPLS with local internet breakout

GianPaolo
Here to help

SD-WAN design - Internet + MPLS with local internet breakout

Hi all,

I'm preparing a SD-WAN PoC for a customer and there's a question still missing and answer about the design, maybe somebody can help.

 

Network topology is in the diagram below. Site has two links, one Internet connection and one MPLS link to HQ with local internet breakout.

 

The plan is to use SD-WAN on the two WAN connections, using data path BLUE (MPLS) and RED (INTERNET).

2018-08-21_17h31_03.png 

 

 

 Based on the documentation the AutoVPN, when the public IP is not the same (IP1 and IP3 in the diagram) the VPN will be formed between public IP addressed and not using the private IPs reachable through the MPLS link:2018-08-21_17h32_54.png

 

So the traffic path would be RED and GREEN instead of the desired RED and BLUE.

 

Is that assumption correct? If that's the case, is there a way to force the use of link BLUE instead of GREEN for the VPN?

 

 

8 REPLIES 8
jdsilva
Kind of a big deal

Meraki doesn't currently have support for the exact topology you're trying to build, They offer a slightly different version, details found here:

 

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS

 

I suspect one day soon this may change... 

AdamB
Meraki Employee
Meraki Employee

Your MX HUB is going to attempt to reach the MX BRANCH appliance with any address that it is reachable at including both the interface IP and the public IP reachable at the ISP2 router. So yes, your appliances can establish tunnels on both the blue and red paths and this will happen automatically.

Hi Adam,

thanks for the answer. I suspected that was the case - similar of what happens with remote Access Points when an SSID is bridged to an MX appliance.

 

Will the BLUE path be preferred over the GREEN path because the tunnel is created between private IP addresses of the two MXs? Is there a way to tune/influence/verify this behavior?

Thanks

 

 

 

Hey @GianPaolo,

 

You can determine which uplink is preferred from the Security Appliance > Traffic Shaping page. 

 

There is a section called Flow preferences and under VPN traffic you can select your preferred path and the failover behaviour. 

 

You can find info on the routing behaviour of the MX here: https://documentation.meraki.com/MX-Z/Networks_and_Routing/MX_Routing_Behavior

 

Hope this helps!

 

Giacomo

 

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!

If an appliance is able to establish a tunnel using a private IP in addition to a public IP, the private IP tunnel will be preferred. So in your case, the blue tunnel will be prioritized over the green tunnel. Unfortunately there isn't any way to influence this decision besides adding some ACLs to the MPLS/Internet router.

Will it work even when Branch and HQ use different public IP addresses to reach the Meraki Cloud?

2018-09-07_10h04_24.png

 

 

Hey @GianPaolo,

 

 

The paragraph you posted is assuming that both sites in the MPLS are going to break out from a single internet link as per standard MPLS design; from the looks of your design, you seem to have 3 links at the branch, 2x direct internet and 1xMPLS with no WAN breakout. I have a feeling that this might not work as you expect it by default, but I think with some routing manipulation and traffic preferences (e.g.: push traffic destined to the Meraki cloud via the MPLS link) you might be able to achieve the result you want. 

 

It may be a good idea to give a quick call to your sales rep; we have engineers that are dedicated to helping out with design advice, so it might be a good port of call for this.

 

Hope this helps!

 

Giacomo

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels