SD-WAN with 3rd party VPN as default route?

Ben-Graves
Conversationalist

SD-WAN with 3rd party VPN as default route?

Hi all,

 

I've been working to assist in deploying a Meraki SD-WAN solution for a company, had a lot of success with SD-WAN working with previous companies but running into a new issue currently and would love some advice/recommendations if possible.

 

Company currently has MPLS connection and wants to add a direct internet access circuit and leverage the MX SD-WAN capability. 

 

The plan was to have Internet bound traffic out the interface for direct internet access, MPLS/Datacenter traffic out that interface as a simple way to start. 

 

When the DIA circuit fails or goes down, the traffic should all transit the MPLS circuit until it is restored.

 

An additional requirement was later added to require all internet bound traffic to connect out to a security service like Prisma/Umbrella via a VPN tunnel to be inspected first, then out to the internet.

 

This would require some basic routing to tell traffic where to go(mainly the datacenter>MPLS traffic), and a default route pointing to the third party VPN on the Meraki, to force that traffic through the tunnel to the security provider.

 

The issue we are running in to seems to be related to how the traffic would fail over when the DIA uplink goes down.

 

From what we've been told by our Cisco Meraki resources is that the Meraki would not automatically fail that default route/traffic over to the MPLS uplink automatically, as it is pointed out a third party VPN tunnel.

 

We were told that we would have to leverage an API to implement a IP SLA in order to automatically fail over the traffic. 

 

Would love to know if anyone else has run into this and has any recommendations or ideas? 

Is this a realistic solution? I don't think our team currently has the API skills necessary to implement this unless there is a step by step for creation/maintenance.

 

Any insight or advice would be greatly apprecaited!

 

Thanks!

1 Reply 1
jdsilva
Kind of a big deal

Hey @Ben-Graves,

 

There is an example script that does something close to this that's published by Meraki:

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover

 

You'd need to adapt that for your needs, and then host it somewhere.

 

I haven't personally had to deal with this exact situation myself, but in thinking about it, if connected the second WAN port to the MPLS and did your SD-WAN as this document describes:

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS

 

You should also have a secondary path for the Non-Meraki VPN through the DC. The security provider would need to be set up to allow the tunnel from an alternate IP address (i.e. the public range at the DC) but I *think* that should actually work. Could be worth trying anyway.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels