Home > Security Appliances > Site-to-site VPN > Configuring Site-to-site VPN over MPLS

Configuring Site-to-site VPN over MPLS

Many enterprise networks have existing MPLS circuits that connect locations. However if the MPLS goes down, the connection to a remote location is lost. MX Security Appliances can be placed in these networks to dynamically fail over to a VPN connection via a secondary Internet connection. This article describes how the Cisco Meraki Cloud manages the VPN tunnel based on the status of the Internet uplinks, and will illustrate the complete flow of traffic when the VPN is properly enabled and functioning.

General Network Design and Considerations

There are a few high level concepts to mention before getting into the details of network design:

  1. The MX at the branch location must use the Internet connection of HQ to send its management traffic to the Cloud while the MPLS is in use. With this in mind, the MPLS routers at the branch locations must have a route for Internet bound traffic. For client devices, you can use Uplink preferences on the Branch MX to direct Internet-bound traffic out the ISP at the branch.
  2. MX's need to form a VPN over the MPLS connection because unsolicited inbound traffic is dropped. VPN between the two sites resolves this issue.
  3. If the MPLS fails, the Branch MX will switch to its secondary Internet connection and the MX's will establish a tunnel over VPN.

MPLS Setup in Detail

Diagram of traffic flow when VPN is established over the MPLS Circuit.
558a32bd-a67a-4fb6-8593-7571ad4726de
 

Detailing the Flow of VPN Traffic

  1. Host at Branch location wants to talk to host at HQ.
  2. SRC IP 172.16.0.10 > DST IP 10.0.5.20
  3. Host routes traffic to its default Gateway (Branch MX).
  4. Branch MX has a VPN tunnel built for that remote Subnet (10.0.5.0/24) thanks to the knowledge of the Cloud.
  5. Data is encapsulated and sent over the VPN tunnel to the HQ MX in Concentrator Mode.
  6. MX Concentrator decapsulates the packet and delivers it to its DST IP (10.0.5.20).
  7. HQ client computer (10.0.5.20) responds to the packet and sends it to its default gateway (HQ Firewall), since it doesn't know about the location of the Branch network.
  8. HQ Firewall receives the packet and knows that it must route all traffic with a DST network of 172.16.0.0/24 back to the MX Concentrator.
  9. You need a static route pointing all Remote networks to the MX Concentrator. (example route statement >> ip route 172.16.0.0 255.255.255.0 10.0.5.254).
  10. The MX concentrator has a tunnel established for the network ID of 172.16.0.0/24, so it encapsulates the traffic and sends it to the Branch MX.
  11. The Branch MX decapsulates the packet and delivers it to the DST host (172.16.0.10).
  12. This communication works the same way whether the MX’s communicate over the MPLS or over their individual Internet connections

Cisco Meraki's VPN Registry 

When the MX devices report to the Dashboard, the Dashboard records both the SRC IP address of the traffic and the Interface IP of the MX. Sometimes these addresses do not match. This is common when the Device is placed in 1-armed VPN Concentrator Mode. This means that the MX has a private IP address, and VPN traffic is forwarded to the hardware for encapsulation.

Below is a screenshot of the Appliance Status. Notice that the Internet Port is different from the Public IP address.

52a65f4a-bbda-426c-b9fd-b3b1a92b4d91

In the diagram above, the Branch MX is routing all traffic over the MPLS to the HQ firewall. The Dashboard-bound traffic has the same SRC IP address (230.45.122.56) as the HQ MX Concentrator. However, the IP addresses of the Interfaces (10.0.5.254 and 192.168.1.2) are both local to their network, and those addresses are reported to the Dashboard as well.

Below is an example of VPN Registry and the IP addresses that the Cloud records.

cefa9e3e-d904-405f-8ad3-fc797d4720ec

In this example, the Dashboard knows that the two devices can’t form a VPN Tunnel through the same SRC IP address, so it will try the IP addresses of the Interfaces. The routing through the MPLS allows the MX devices to communicate using these Private IP addresses, and the tunnel is dynamically established.

Failover to Secondary ISP when MPLS Circuit is Not Available

If the MPLS goes down, the Branch MX will know that it lost connection to the Cloud and will fail over to its backup ISP connection. Once the MX is communicating with the Cloud again, the registry entry is updated.

f619f5de-45c7-40aa-920a-c8f4159163d0

Below is an example of the VPN Registry now that the Branch is communicating to the Cloud from a different public IP address.

7463b736-82bd-4587-8f02-7f378a7a9fb4

The MX Concentrator will now establish the VPN to the Public IP address of the Branch MX.

Uplink Preferences

Some users prefer to send Internet-bound traffic out the secondary Internet connection at the branch location. You can add Uplink Preferences under Configure > Traffic Shaping. The MX will route the traffic according the most specific route. Since the VPN routes are more specific than the route of 0.0.0.0/0, the VPN traffic will go out the VPN Interface.

Below is a screenshot of Uplink Preferences that facilitate the desired traffic flow:

 

MX Site-to-site VPN allows remote sites to dynamically fail over to back up Internet Connections when an MPLS connection becomes unavailable. This can happen automatically since the MX harnesses the information that the Cloud knows about the devices.

Additional Resources

For a configuration that allows an existing MPLS link to fail-over to a site-to-site VPN connection, please reference our documentation on MPLS failover to site-to-site VPN.

You must to post a comment.
Last modified
11:24, 27 Jul 2017

Tags

Classifications

This page has no classifications.

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community