VPN over MPLS

SOLVED
Newbie99
Here to help

VPN over MPLS

Hi there!

One of our clients wants to buy a meraki MX for the offices. Their WAN connections are internet and MPLS (with no internet and relies only on the internet of each branches). Their questions are as follows:

1. Can meraki mx support sd-wan on these uplinks given that the MPLS has no internet and relies only on the internet of other branches?

2. Is it possible to segregate traffic like for example, only certain traffic must go to mpls and if the internet is down, that is the only time the mpls can be used for their internet connection connection to their branches' internet?

3. Is this solution possible? How can this be deployed?

 

Hope to have your help on this. Thank you

1 ACCEPTED SOLUTION

Hi,

 

You cannot use the MPLS link as a WAN connection if it doesn't have connectivity to the Internet at all as it relies on the Meraki cloud connectivity for the management traffic and SD-WAN basically requires the link to be connected to the WAN interface. You can integrate the MPLS however using the LAN port of the MX but it will not achieve your requirements:

 

https://documentation.meraki.com/MX/Networks_and_Routing/Integrating_an_MPLS_Connection_on_the_MX_LA...

 

 

Please hit kudos if you found this post helpful and/or click "accept as solution" if this solved your problem.

View solution in original post

16 REPLIES 16
Newbie99
Here to help

Please see the diagram for reference of the scenario. Just replace fortinet symbol with meraki MX.

IMG_20210302_074004.jpg

Hi,

 

You cannot use the MPLS link as a WAN connection if it doesn't have connectivity to the Internet at all as it relies on the Meraki cloud connectivity for the management traffic and SD-WAN basically requires the link to be connected to the WAN interface. You can integrate the MPLS however using the LAN port of the MX but it will not achieve your requirements:

 

https://documentation.meraki.com/MX/Networks_and_Routing/Integrating_an_MPLS_Connection_on_the_MX_LA...

 

 

Please hit kudos if you found this post helpful and/or click "accept as solution" if this solved your problem.

Thank you for your reply @DensyoV 

If we assign the MPLS connection on the LAN port of the MX, does it mean it can be used for a dedicated traffic like for example data transfer from one server to another?

Hi 

It depends on your routing configuration what destination subnets are reachable over the MPLS. It only supports static routing and source-based or policy-based routing is not supported so you cannot define what traffic or type of traffic can pass only over the MPLS link.

Please hit kudos if you found this post helpful and/or click "accept as solution" if this solved your problem.

Hi,

 

Is there any possible alternative to deploy MPLS on this scenario without a VPN concentrator as stated on the documentation? The client does not want to buy another MX just for this purpose.

Bruce
Kind of a big deal

If you don’t want to purchase a concentrator for the head-end then the only other option with the Meraki solution is to get a route to the internet from the MPLS network. This could be one that the MPLS service provider can provide and manage for you (it only needs to be small, and just needs a NAT for outbound traffic). The alternative is you can add yourself if the MPLS provider lets you inject a default route into MPLS network (obviously you then need to ensure the routing is correct and that it’s secure - similar to the concentrator model, but slightly different).

Thanks for your reply @Bruce 

I will recommend that to the client. Now, I think we will just deploy the MPLS on MX's LAN port. 

Hi @DensyoV ,

 

what if I point the branch MX to have internet over MPLS to the HQ. The setup will be hub-spoke, can the MPLS be used on the WAN port of the branch MX and the MPLS of the HQ is connected on the LAN port?

Bruce
Kind of a big deal

The MX only forms it’s AutoVPN tunnel on the WAN ports, so you won’t be able to get the SD-WAN working if you’re using a LAN port on the HQ MX.

cmr
Kind of a big deal
Kind of a big deal

@Newbie99 there are essentially only two options for SD_WAN over MPLS

 

  1. remote sites connect a WAN port to the MPLS and central site is in VPN concentrator mode
  2. remove sites connect a WAN port to the MPLS, central site connects a WAN port to the MPLS and MPLS has internet breakout.

This is because the Meraki datacentres need to see traffic from all of the WAN ports coming from the same public IP address to enable the forming of the SD-WAN connections using the private IP addresses.

 

Any deviation from this will lead to hair-pinning from one public IP address to another if it works at all.

Hi,

 

We have a new scenario. The branches including the HQ has to wan links available, internet and mpls(no internet). Can I know use this mpls on the wan port of Meraki without using a VPN concentrator?

cmr
Kind of a big deal
Kind of a big deal

@Newbie99 there has to be a way for the WAN ports of the MXs to get to the internet.  So with your MPLS it needs internet access either through the carrier or you'd need to out a device on it to provide internet access through an existing connection.

@cmr you mean even if I have a MX with two wan links, even if I have an internet/dsl on one of its link, the MPLS should have its own way to go out of the internet?

cmr
Kind of a big deal
Kind of a big deal

@Newbie99 yes, each WAN link needs internet access as far as I know.

@cmr  whatever means of internet connection? What if that mpls can go out of internet buy connecting to the HQ? Would that be possible right?

cmr
Kind of a big deal
Kind of a big deal

It can't go out through the MX at HQ if the MX WAN port is connected to the MPLS, you'd need it to be a LAN port.  However if it is a LAN port then Auto-VPN cannot form as that needs to be WAN port to WAN port.

 

Therefore you either need an MPLS with internet (this could be provided by having the MPLS terminated on an HQ L3 switch, the WAN port of the MX connected there along with another device that presents internet access to the MPLS) or you need the HQ MX in concentrator mode.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels