Meraki

mscotto · ‎May 21 2021

Hey guys I have a complex network question I was hoping someone here can help. Right now we have 2 MX250's in routed mode which go downstream to our cores then down to our l2 access switches. I have a site to site vpn running on the mx 250 (non meraki tunnel) and works great however I want to create another one to another vpc in aws but do not have enough ports. What I do have is a "breakout load balancer" switch upstream which basically each ISP goes into in order to load balance WAN1 and WAN 2.My question is, can I put a spare MX100 firewall upstream from the breakout switch and just put it in vpn concentrator mode to tunnel over both VPN's? The issue I believe I may have is how would I get the one private subnet that needs to route through the vpn which sits at my core router so it would have to go downstream to the breakout, then down to the routed mode firewall then down to the core. Would I need to use any of the 1:1 NAT features the firewall has for any of this? Thanks!

Bruce · ‎May 21 2021

Not really sure what your network architecture looks like, it’s a bit hard to follow. But, why wouldn’t you just create another non-Meraki site-to-site peer on the existing MX for the AWS connection?

If you’re trying to do two separate VPN connections into AWS then it might actually be worth looking at your VPC design and introducing a transit VPC that acts as a bridge-head, so you still just have the one VPN to AWS and then forward traffic from there - might also be worth considering the vMX.

Also, it’s hard to understand what the “breakout load balancer” is. Is this just load-balancing between WAN1 and WAN2 on the same MX? If so, then that’s an ‘interesting’ configuration. If the load-balancer is being used to ‘split’ the connection between an active and standby unit in a HA pair then I understand.