Many enterprise networks have existing MPLS circuits that connect locations. However if the MPLS goes down, the connection to a remote location is lost. MX Security Appliances can be placed in these networks to dynamically fail over to a VPN connection via a secondary Internet connection. This article describes how the Cisco Meraki Cloud manages the VPN tunnel based on the status of the Internet uplinks, and will illustrate the complete flow of traffic when the VPN is properly enabled and functioning.
There are a few high level concepts to mention before getting into the details of network design:
Diagram of traffic flow when VPN is established over the MPLS Circuit.
When the MX devices report to the Dashboard, the Dashboard records both the SRC IP address of the traffic and the Interface IP of the MX. Sometimes these addresses do not match. This is common when the Device is placed in 1-armed VPN Concentrator Mode. This means that the MX has a private IP address, and VPN traffic is forwarded to the hardware for encapsulation.
Below is a screenshot of the Appliance Status. Notice that the Internet Port is different from the Public IP address.
In the diagram above, the Branch MX is routing all traffic over the MPLS to the HQ firewall. The Dashboard-bound traffic has the same SRC IP address (184.108.40.206) as the HQ MX Concentrator. However, the IP addresses of the Interfaces (10.0.5.254 and 192.168.1.2) are both local to their network, and those addresses are reported to the Dashboard as well.
Below is an example of VPN Registry and the IP addresses that the Cloud records.
In this example, the Dashboard knows that the two devices can’t form a VPN Tunnel through the same SRC IP address, so it will try the IP addresses of the Interfaces. The routing through the MPLS allows the MX devices to communicate using these Private IP addresses, and the tunnel is dynamically established.
If the MPLS goes down, the Branch MX will know that it lost connection to the Cloud and will fail over to its backup ISP connection. Once the MX is communicating with the Cloud again, the registry entry is updated.
Below is an example of the VPN Registry now that the Branch is communicating to the Cloud from a different public IP address.
The MX Concentrator will now establish the VPN to the Public IP address of the Branch MX.
Some users prefer to send Internet-bound traffic out the secondary Internet connection at the branch location. You can add Uplink Preferences under Configure > Traffic Shaping. The MX will route the traffic according the most specific route. Since the VPN routes are more specific than the route of 0.0.0.0/0, the VPN traffic will go out the VPN Interface.
Below is a screenshot of Uplink Preferences that facilitate the desired traffic flow:
MX Site-to-site VPN allows remote sites to dynamically fail over to back up Internet Connections when an MPLS connection becomes unavailable. This can happen automatically since the MX harnesses the information that the Cloud knows about the devices.