firmware 13.28 support auto-vpn on LAN port?

SOLVED
PresITsupport
Here to help

firmware 13.28 support auto-vpn on LAN port?

I saw a release note under 13.3 that it now supports Auto-VPN on MX LAN port.

Has anyone using this feature?

 

I could not find any documentation on this.

 

Does this mean a branch MX connects MPLS/Metro-E on WAN port pointing Hub MX as gateway, then Hub Metro-E uses LAN port?

I am trying to figure out what they meant by support Auto-VPN on MX LAN port.

1 ACCEPTED SOLUTION
DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)

@PresITsupportYour correct.

 

 

To elaborate on this comment "WAN 2 would be active like the documentation you linked" as it pertains to VPN SA's being established it is always Active/Active. Tunnels are built by default at all times on all links, however, I assumed you meant Active/Passive in the sense of actually sending flows down the the tunnel tied to WAN2. Your probably only failing over the flows if there is a hard or soft failure on the VPNSA/WAN1 link, which is the most common basic setup I see.

 

View solution in original post

8 REPLIES 8
PhilipDAth
Kind of a big deal
Kind of a big deal

I can not find any such release note.  Under what version does this release note appear?

Under 13.3 release note

I see it now.  You might have to open a support ticket to get some more info on that one.  Let us know the outcome.

DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Punch tunnel through the LAN interface has some specific use cases. MX in NAT mode can now accept AutoVPN tunnels from other Mx's.

 

Use Case:

If you had an MX at your HQ and that the default route was to your MPLS Cloud back out the LAN interface. Remote site MX's trying to VPN would use the interface IP of the HQ MX (as per https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS), which means at the HQ MX traffic would ingress through the MX inside LAN to the outside interface where the tunnel was terminated just to egress back out the LAN port.

 

This feature was introduced in all v.13 code and the change means that in this specific use case, the HQ MX will listen and form punch Tunnel VPN connections on it's LAN interfaces. Stay tuned for more documentation on this feature.

 

So, a branch would connect Metro-E/MPLS connection on WAN port and set gateway to HQ MX metro-E/mpls ip address. And on HQ MX on NAT mode connects Metro-E/MPLS on one of LAN port to create auto-vpn? I assume this needs to be on Hub-Spoke vpn setup with HQ being the hub.

If a branch has an ISP connection on WAN 2, we will be setting it up with active standby where WAN 2 would be active like the documentation you linked.

 

Previously on version 12.26, when I tried to attempt this, Branch's WAN1 was not forming VPN on HQ MX. I am guessing because HQ MX had connection on LAN port. Branch recognized WAN2 as only available vpn link despite vpn preference setting.

 

Am I correct?

DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)

@PresITsupportYour correct.

 

 

To elaborate on this comment "WAN 2 would be active like the documentation you linked" as it pertains to VPN SA's being established it is always Active/Active. Tunnels are built by default at all times on all links, however, I assumed you meant Active/Passive in the sense of actually sending flows down the the tunnel tied to WAN2. Your probably only failing over the flows if there is a hard or soft failure on the VPNSA/WAN1 link, which is the most common basic setup I see.

 

@DCooper It worked but I do have additional questions.

(Both MX on NAT mode)

I set it up to where Branch has WAN1 connected to ISP, WAN2 connected to Metro-E with static IP that sets gateway to HQ's Metro-E Static IP. I set DNS as 8.8.8.8 and HQ MX IP.

 

On HQ side, I connected Metro-E directly to LAN5 port with vlan XXX 

(I didn't have to tag vlan on Branch's WAN2 port. It did not form VPN when I setup vlan tag with XXX.)

 

I had to take off a static IP route I had for Branch office on HQ side to form VPN with Branch office.

 

Branch office has primary uplink set as WAN 2 (metro-E) with disabled load balancing. I did setup preferred uplink with TCP Any to ANY to WAN1, so all internet traffic will override primary uplink.

 

On VPN status>Uplink decisions:

Majority of my VPNs are using WAN 1 with reason: "Performance-based" I do see some WAN2 with reason "Primary Uplink".

I did not setup any performance class under traffic shaping.

 

So, here's my question:

1. What is the determine factor for reason "Performance-based"?

2. It looks like I setup this setting pretty accurately. Did I miss anything?

 

I am hoping with this setup that I can have failover for both WAN and Metro-E traffic. Previously we were only able to have Metro-E failover.

 

By the way, @PhilipDAth This is what I came up with it.

All the reference examples talk about MX. Can this be achieved via Z3 as well ?

 

for e.g., setup as follows :

 

site 1 : mx64. Internet link on wan1 and metroE on wan2

 

site 2 : z3, Internet link on wan and metroE on lan4

 

can site 1 establish two tunnels to site 2, one each over Internet wan and metro E ?

 

i want to achieve load balancing.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels