MX250 in Pass through mode behaviour

IotaNetworks
Here to help

MX250 in Pass through mode behaviour

I am looking to uderstand the traffic flow behaviour when MX250 at hub location is set to passthrough mode, below is my scenarios

c

 

Branch-client1---MX64(spoke)---------internet----- FW at hub-----MX250(hub)

FWat hub -----DC router ---DC-server1

 

Now Spoke has default route to MX250 hub and hub MX is set to passthrough mode and has Auto-VPN tunnel to spoke, Now since all the document claim that in passthrough mode all the traffic is just L2 bridged, want to understand if the traffic from Branch-client1 is sent to dest as DC-server1, i assume the flow would be

 

1. Branchclient-1 to MX64 to MX250

2. Now does MX250 send all traffic to FW which is the Default gateway of WAN interface for MX250 ? or does it only try to send it over Lan ports ?? please note i have no connection of lan port to DC-router 

 

4 Replies 4
BrechtSchamp
Kind of a big deal

Have you seen this page: https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide

 

Have a look at Appendix 1:

It is important to understand the flow of traffic sent across an AutoVPN tunnel while the MX is acting as a one-armed concentrator. In the following scenario we have a host at a branch location trying to load a webpage located in the datacenter, over the site-to-site VPN.

 

  1. The client sends traffic to the private address of the web server to its default gateway, the MX (in Routed mode) at the branch location.

  2. The branch MX will look at its routing table and see that the destination IP address is contained within a subnet subnet that is accessible over the Meraki AutoVPN.

  3. The branch MX encrypts and encapsulates the data from the client and sends a packet source from its WAN interface, destined for the public IP address and port of the one-armed concentrator at the datacenter that was learned through the VPN registry.

  4. This traffic is routed across the Internet to the edge of the datacenter.

  5. The edge of the datacenter will NAT the traffic into a private address and send the traffic to the IP address of the one-armed concentrator.

  6. The traffic will traverse the network internal to the datacenter and arrive at the one-armed concentrator. The MX will then decrypt and de-encapsulate the traffic and forward the original packet (sent by the client from the branch) upstream.

  7. The upstream datacenter infrastructure routes traffic to the server.

  8. The server receives the client traffic and sends a response to the client.

  9. The response is then routed back through the internal datacenter network to the MX acting as a one-armed concentrator.

  10. Upon receiving this response, the one-armed concentrator sees that the destination IP address is contained within a subnet that is accessible over the site-to-site VPN, looks up the contact information for the corresponding AutoVPN peer, encapsulates and encrypts the data, and sends the response on the wire.

  11. The response, destined for the public IP and AutoVPN port of the branch MX, is then routed through the datacenter and NAT’ed out to the Internet.

  12. The packet is then routed through the Internet to the branch MX.

  13. The Branch MX receives the response, decrypts, de-encapsulates, and forwards the server's response downstream.

  14. The response then traverses the internal branch network and is received by the client device.

cmr
Kind of a big deal
Kind of a big deal

@IotaNetworks I'm not sure how you'd set up an Auto VPN hub in pass-through mode.  It needs to be able to route for auto VPN to work.  We have the MX hubs in our main DC set up as concentrators and this works very well.  It also removes the restriction of two WANs as you can route as many as you like to the concentrator using L3 switches between the site edge and the MX.  I'd follow that route and use the information in the post from @BrechtSchamp to learn how to make the most of it.

IotaNetworks
Here to help

@cmr, I have selected an option which says"pass through or concentrator mode" not sure how to speicify it as concentrator  mode ?

cmr
Kind of a big deal
Kind of a big deal

In concentrator mode you only use the first WAN port, all traffic goes through this interface and back out of it.  So the MX sits as a spur off the LAN (but using it's WAN port) which for the 250 is the SFP+ socket.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels