Many organizations use MPLS to provide low-latency, private communications between sites. But MPLS networks can fail, and if yours does you need a secure solution — such as site-to-site VPN — to ensure traffic between locations remains secure.
By deploying Cisco Meraki MXs to connect sites across an MPLS network, you can specify static routes out to that MPLS network. Route weights ensure these pathways are attempted first unless the gateway IP or a host you specify within the destination subnet becomes unavailable. Assuming Meraki Auto VPN is also configured between these MXs, they will automatically fail over to VPN in the event your MPLS link goes down. In this case, traffic will continue to pass between sites over the encrypted VPN tunnel, avoiding downtime without sacrificing data security.
This functionality is available to existing – and future – MX customers through our upcoming MX firmware update, available by direct request if you want to enable this feature today.
MXs deployed at branch and HQ locations can fail over to VPN if the main route out to an MPLS network loses connectivity. Two MXs ensure VPN redundancy.
For extra redundancy in locations that use a separate firewall, a primary MX can be configured as a one-armed VPN concentrator. In this configuration a secondary MX can be connected to act as a warm failover spare, providing VPN redundancy in addition to automatic VPN failover.
Setting up site-to-site VPN between MXs is easy, literally taking 3 clicks in the Meraki dashboard. You can quickly specify what sort of VPN topology you’d like — mesh or hub-and-spoke — as well as additional firewall rules to filter traffic according to your network’s needs.
Once your VPN settings are configured, you will be able to set your MX up for automatic VPN failover. To do this, you will create static routes in the Meraki dashboard (Configure > Addressing & VLANs).
A summary view of an MX’s local VLANs and static routes will be found in the Configure > Addressing & VLANs dashboard page.
Static routes that relinquish their “active” status if connectivity is lost will fail over automatically to VPN.
When creating static routes, specify how you want them to behave if either the gateway IP or a host within the destination subnet can no longer be contacted (the end-to-end connection is validated when a host responds to a ping). Static routes that relinquish their active status in these scenarios will automatically failover to VPN.
The Meraki MX provides distributed enterprises with automatic data security in the event MPLS becomes unreachable. Combined with intuitive, easy-to-configure VPN — along with the option of implementing a warm VPN spare — the Meraki MX offers a simple yet powerful solution for IT administrators who want to ensure both the reliability and security of their distributed network.