Meraki

Community

Supported Design? - Layer 2 service on MX WAN interfaces with auto VPN?

h1dden87
New here
5 hours ago
5 hours ago

Supported Design? - Layer 2 service on MX WAN interfaces with auto VPN?

See attached. Trying to determine if this would be a supported configuration. No local internet at remote sites. Client would like branch to branch encryption and w/ auto VPN we could failover between primary and backup hubs. I've not been able to find any documentation on how MX handles non-internet links connected to WAN interfaces at the HUB. Can we just enable No NAT across all the non-internet links and create inbound allow rules? Would the MX even try to establish VPN's on the non-internet connected link?

 

Screenshot 2025-12-03 130026.png

Labels:
0 Kudos
3 Replies 3
alemabrahao
Kind of a big deal
Kind of a big deal
5 hours ago
5 hours ago

It won't work; MAX needs an internet connection.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
ww
Kind of a big deal
Kind of a big deal
5 hours ago
5 hours ago

This setup describes the setup/requirements  https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Configuration_Guides/Site-t...

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
5 hours ago
5 hours ago

No.  These are the two supported topologies:

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Deployment_Guides/MPLS_Fail...

 

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Configuration_Guides/Site-t...

 

At a minimum, you would need to modify the design so that the ELAN is connected directly to the Internet.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.