I am working on a hybrid SDWAN architecture utilising MPLS and Internet links. Some spoke sites will have both services, while some spoke sites will only have Internet. We will 3 DCs/hubs. Main hub will have both MPLS and Internet seevices, while other hubs will only have Internet.
At spoke sites, RFC 1918 traffic will prefer MPLS service, with local Internet breakout. SDWAN tunnels will be maintained as a backup to MPLS service. I am planning to create route preference for RFC1918 to cater for this.
I have read Meraki documentation, which refer to 2 connectivity topologies for incorporating MPLS links. Either connect MPLS to WAN interface or LAN interface.
I am unable to decide which design choice to go for.
If you use the MPLS on the WAN, you will basically use it as a second WAN port to build SD-WAN over it. Cloud Connection would be given over the internet link, and you can give internet access over the SD-WAN Link as well.
If you go for MPLS over the LAN interface, you will have to do MPLS Failover to Meraki Auto VPN, which, in my opinion, is the inferior solution compared to the first one.
MPLS Failover includes a lot of static routing, and if you change anything in the network, you have to adapt the routing in several places. This solution makes sense if you have sites that are MPLS only, so the only way to connect to them is via MPLS.
If you have internet on each site anyway, use the MPLS as a second WAN. This will make your life a lot easier.
We have this exact same architecture. Around 100 remote sites with MPLS + local Internet and 20 with dual Internet. 3 hubs.
We use the local Internet as the primary WAN1 and the MPLS as secondary WAN2. Active-active AutoVPN tunnels on both circuits. Private traffic is forced to the MPLS circuit and Internet traffic is leaving locally.
I’m pretty familiar with this architecture so feel free to ask questions!
- Spokes with MPLS and Internet links- Spokes with Internet links
Obviously, for sites with single Internet service, this becomes simple, as there is only one link.
For sites with dual services, we would do Auto VPN on both links. Our traffic flow is SDWAN over MPLS and active failback to SDWAN over Internet service. Traffic flow will route RFC1918 traffic thru MPLS, with local Internet breakout. Similarly, Meraki cloud control traffic will be over primary WAN.
Would it make any difference to have MPLS on WAN1 or WAN2 and vice versa for Internet links ?
Secondly, are my design choices correct, with regards to traffic flow etc ?
Ah ok! I doesn’t matter if you choose WAN1 or WAN2 because you have the option of selecting which one is your primary in the dashboard.
We are using the Internet circuits as primary for the following reasons:
Management traffic to Meraki Cloud always pick the primary circuit. We had a lot of sites to deploy and I found it easier to chose WAN1 as the internet circuit for greenfield deployment as it is the default primary on a brand new box.
Load balancing is disabled because we have MPLS and Internet so all traffic will pick the primary link by default therefore you don’t need to specify an Internet flow rule.
You will need to put a rule for your VPN traffic though for MPLS.
Be sure to have an Internet breakout in your MPLS because your MPLS WAN2 circuits need to talk to the Meraki cloud.
Make your Hubs and spokes leave on the Internet from your MPLS by the same public IP. This will enforce tunnels creation on the private IPs in your MPLS.
Meraki cloud doesn’t like upstream load balancers also.
This diagram does not show, but MPLS network does have DIA. Since I prefer to use MPLS for Meraki Cloud control, hence my preference to connect MPLS on WAN1 interface.
Management traffic to Meraki Cloud always pick the primary circuit. We had a lot of sites to deploy and I found it easier to chose WAN1 as the internet circuit for greenfield deployment as it is the default primary on a brand new box.
Just trying to find a guide to confirm, whether we can select which WAN link to use for Meraki control traffic. Was reading somewhere today, that Meraki decides itself which WAN to use for control traffic, although, I am unable to find anything on Meraki website to support this.
This option determines which uplink should be the primary connection. VPN traffic and management traffic to the Meraki Dashboard use the primary uplink. If load balancing is disabled, all traffic will use the primary uplink unless an uplink preference is configured specifying otherwise.