I'm preparing a SD-WAN PoC for a customer and there's a question still missing and answer about the design, maybe somebody can help.
Network topology is in the diagram below. Site has two links, one Internet connection and one MPLS link to HQ with local internet breakout.
The plan is to use SD-WAN on the two WAN connections, using data path BLUE (MPLS) and RED (INTERNET).
Based on the documentation the AutoVPN, when the public IP is not the same (IP1 and IP3 in the diagram) the VPN will be formed between public IP addressed and not using the private IPs reachable through the MPLS link:
So the traffic path would be RED and GREEN instead of the desired RED and BLUE.
Is that assumption correct? If that's the case, is there a way to force the use of link BLUE instead of GREEN for the VPN?
Meraki doesn't currently have support for the exact topology you're trying to build, They offer a slightly different version, details found here:
I suspect one day soon this may change...
Your MX HUB is going to attempt to reach the MX BRANCH appliance with any address that it is reachable at including both the interface IP and the public IP reachable at the ISP2 router. So yes, your appliances can establish tunnels on both the blue and red paths and this will happen automatically.
thanks for the answer. I suspected that was the case - similar of what happens with remote Access Points when an SSID is bridged to an MX appliance.
Will the BLUE path be preferred over the GREEN path because the tunnel is created between private IP addresses of the two MXs? Is there a way to tune/influence/verify this behavior?
You can determine which uplink is preferred from the Security Appliance > Traffic Shaping page.
There is a section called Flow preferences and under VPN traffic you can select your preferred path and the failover behaviour.
You can find info on the routing behaviour of the MX here: https://documentation.meraki.com/MX-Z/Networks_and_Routing/MX_Routing_Behavior
Hope this helps!
If an appliance is able to establish a tunnel using a private IP in addition to a public IP, the private IP tunnel will be preferred. So in your case, the blue tunnel will be prioritized over the green tunnel. Unfortunately there isn't any way to influence this decision besides adding some ACLs to the MPLS/Internet router.
Will it work even when Branch and HQ use different public IP addresses to reach the Meraki Cloud?
The paragraph you posted is assuming that both sites in the MPLS are going to break out from a single internet link as per standard MPLS design; from the looks of your design, you seem to have 3 links at the branch, 2x direct internet and 1xMPLS with no WAN breakout. I have a feeling that this might not work as you expect it by default, but I think with some routing manipulation and traffic preferences (e.g.: push traffic destined to the Meraki cloud via the MPLS link) you might be able to achieve the result you want.
It may be a good idea to give a quick call to your sales rep; we have engineers that are dedicated to helping out with design advice, so it might be a good port of call for this.
Hope this helps!