Some of the replies here seem to be correct, and I finally had the chance to do this on a live network, and can confirm it does work, with some pre-requisites. 1) One site must have Internet access, for us, this is the "Head Office" or "Main Site". It could be your DC or whatever. Connect this to WAN1 (or WAN2 as needed). 2) The MPLS connection will be on LAN side of your head office/main site. Add static routes as needed, so your head office knows to use the MPLS connection. 3) Your remote office will connect the MPLS to WAN1 (or WAN2) and if you have a backup Internet, connect it to WAN2. 4) Use site-to-site autoVPN 5) Set your traffic preferences to use the MPLS (or split however desired). In my case, my MPLS doesn't have an Internet connection, so it took some discussion with Meraki Support to accept that this happens in the real world. I also didn't want to buy another MX just for VPN, I already had a perfectly working MX acting as my Internet gateway/router. Also, I wanted the Internet on WAN ports, and also the MPLS on remote sites on WAN ports. Finally, I wanted automatic failover from MPLS to Internet without any manual intervention. My understanding is that the remote site has "two internet connections", one is the backup Internet on WAN2, the other is via the MPLS to head office, and then out the Internet connection there. The reason this magically works is because meraki "see" the autovpn on from the remote office WAN1 and the head office as having the SAME IP address, so it shares the internal IP's with both of them, and they then setup the VPN directly, and thus it works. If you want more details, let me know, and I can add in some more IP address examples, and try to expand on the description. I'm hoping to roll this out for another customer shortly. My plan is that all remote sites would have a second Internet on WAN2 (4G mobile), with MPLS on WAN1.
... View more
Hi, I've battled with this issue in the past, and am about to do so again, so wanted to check if I'm doing it the "right" way. I have a multi-site client with an MX at each site, and a single MPLS connection at each site, that will route all traffic back to HQ. At HQ, the MX has an internet connection on WAN1 and the MPLS connection on LAN port with static routes. At the branch, the MPLS connection connects to a cisco router, which then splits the /24 into a /25 and a /29. The /29 is connected to the MX WAN as a Internet connection, and the /25 is connected to the MX LAN with static routes. All that means that we need additional cisco router, or layer 3 switch with VLAN, but at least it works. I want to reduce that to simple connect the MX directly to the MPLS, preferably on the WAN, and allow it to get Internet access, and route private IP address space. I think the issues with this are: 1) The MX will NAT the private IP addresses, instead of just routing them and letting the HQ MX do NAT at the Internet gateway 2) The MX requires a working Internet connection on all WAN ports (ping to 220.127.116.11 at a minimum) What do others do? Is this functionality better in firmware 13/14 ?
... View more