Meraki

Devaul

Did you use a L3 switch dedicated to the Meraki traffic and nothing else on it?

Devaul

Each DC has unique IP addressing

Devaul

Hello all, Our HQ and primary DC is in NY. The secondary DC which is partially a DR site but also has some active services is in NC. We have branches in NY, NC, and SC connected to our DCs through metro-e connections. Currently, with our ISR routers, NY branches connect to the NY DC, while NC and SC connect to the NC DC. All branches also have cellular gateways as a backup connection. Below is how i currently have things hooked up in my lab phase. The Metro-E is any to any so the 2 DCs can potentially communicate through it and branches can potentially communicate directly with both DCs. I say potentially because in our current build pre-Meraki, that's not how it's set up. You'll notice there's 2 more connections between DCs but my goal would be for everything branch related to stay on Metro-E until they reach the DC that whatever service is at. Meaning, I would prefer a NC branch doesn't send traffic to the NC DC to then ride the p2p to NY and instead send traffic to the NY Hub, unless the NY Hub is down, then it would come into NC and traverse the datacenter p2p. Note: We currently plan for traffic to stay on Metro-E unless a branch needs to connect through their Cellular backup. The MX105's are getting internet access through the default gateway on the L3 switch. I believe my main questions at this point are: Is it better to be using One-arm Concentrator or Routed mode for this? I started with Routed mode and then just switched to VPNC after reading about dc-dc failovers. Now i'm believing I don't actually want DC-DC failover because I don't need any local networks to failover between DCs. I just need traffic to reroute. Would either method have limitations in my scenario? Note: even if i were doing Routed mode, i still need the L3 switch in NY due to the HA pair of MX105s. Why would my cellular backups at the branches be able to form a VPN with the HUBs in routed mode but not VPNC? Something to do w/ auto-NAT maybe? Is it going to be possible to have branches form connections to both HUBs and send traffic to each? Can the 2 HUBs send traffic to each other which essentially means there's a third connection between my datacenters?

Devaul · ‎Oct 4 2024

How are you routing the different VLANs? Static or Dynamic? I planned on having everything on the L3 switch on the same VLAN so there's no routing needed between the interfaces. I'm doing Routed mode though not concentrator.

Devaul · ‎Oct 3 2024

The way I got it working in my lab environment is through a VRF on our Cat9500 core switch. I'll eventually add a connection from the firewall into that VRF as the default gateway but right now I'm route leaking it to the default gateway on the 9500's main routing table. Then the LAN connects back to the 9500 on a different VLAN. It's working great until I cut the internet access. Even though I have my 2 test MX's set to test connectivity to the gateway of the VLAN they are on, the VPN still drops after a couple minutes. I don't get why it would drop the VPN if it's passing the connectivity test. So even though I have Internet and Metro-E, it seems that the internet going down will cause both to go down even though metro-e connectivity is good. I don't really understand the one arm concentrator mode. Maybe it wouldn't be the case with that?

Devaul · ‎Oct 2 2024

We currently only have one internet connection. We figured that would be the backup connection to the Metro-E. Would that internet going down also cause the Metro-E to drop it's VPN since it can't talk to the dashboard? Effectively making our internet a single point of failure.

Devaul · ‎Sep 30 2024

Is it possible to establish a vpn over a direct connected Metro-E connection between two MX devices without adding routers or L3 switches into the mix? We bought Meraki devices for all of our branches because we were told it'd work and now that I'm in the thick of it. It's looking like a no. If we did use a L3 switch at the hub and put all of the MX interfaces on the same network with that switch as the gateway, then we could share the default route over the Metro-E to give the branches internet access but wouldn't that basically make traffic able to flow over those Metro-E connections outside of the VPN? We cannot have that. We were also looking at trying non-meraki Peer VPNs as a cutover strategy from our ISR routers at the branches but it's looking like that's not possible either since the WAN interface on the Meraki still needs a gateway and there isn't one without that L3 switch.

Meraki

Community

About Devaul

Devaul

Community Record

Badges

Re: VPN over a direct Metro-E connection possible?

Re: Guidance needed on how to best make this system work best with active-a...

Guidance needed on how to best make this system work best with active-activ...

Re: VPN over a direct Metro-E connection possible?

Re: VPN over a direct Metro-E connection possible?

Re: VPN over a direct Metro-E connection possible?

VPN over a direct Metro-E connection possible?