Third party VPN with redundant connectivity to SD-WAN

Pugmiester
Building a reputation

Third party VPN with redundant connectivity to SD-WAN

Hi all,

 

We're almost at the end of our EU wide SD-WAN rollout (only around 30 sites but still...) and as I'm sure anyone who's ever done this will know, with Meraki "it just works" 🙂

 

We have a remaining office site that for current political reasons we can't deploy any Meraki hardware to site. We are looking at a simple third party VPN link (Probably using a locally sourced ASA) into a spare MX using the excellent reference article from Aaron Willette (https://www.willette.works/merging-meraki-vpns/) which we've already used to great success for an actual third party that needs access to an internal resource.

 

I'm hoping to build a pair of 3rd party VPN links so we don't have a single point of failure but getting traffic flowing over the right VPN link seems like a challenge as each of the corporate LAN MX's would publish the same static route into the SD-WAN pointing to their local 3rd party MX. I have a vague recollection that it's possible to do some element of traffic steering using over the SD-WAN using the priority of the hub's that a spoke connects to but I don't think that's possible between hubs.

Am I just overthinking the whole situation?

2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal

Check out tag-based failover.

https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover 

 

However, have you consider putting in an MX into that site, and then plugging that into a port on the ASA (call that port something like WAN), and then pretend that the MX is a standard WAN router like you would get from a private MPLS provider?  You could use the MX in VPN concentrator mode as well if you like.

 

For the remote party, tell them its a WAN router.

Pugmiester
Building a reputation

Thanks Philip, will take a look. I'm sure I'm just overthinking the problem.

The eventual plan, once Meraki figure out the legal minefield, is to hook them up with a HA pair of MX's like every other site we have in EMEA but for the foreseeable future we cannot legally deploy any Meraki hardware to the country at all so we're stuck with whatever we can legally purchase in country, hoping it can support a reasonable security level, and try to connect that back to civilisation as best we can.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels