Building your Cybersecurity or SD WAN vendor shortlist? Try our online quick assessments for recommendations.

How to deploy Meraki SD WAN over MPLS?

How to deploy Meraki SD WAN over MPLS?

Compare the SD WAN & SASE / SSE Cybersecurity market across 150 providers and vendors now

  • Compare DIY or fully managed solutions for your business
  • Learn why each solution is a match for your business
  • Used by companies including CDC, Permira, Square Enix, British Legion and more

Get Started

As one of the first cloud-managed, orchestration-based routing platforms, Cisco Meraki was in a prime position to have an SD WAN offering from the beginning. Unlike a lot of other companies, when Meraki started rolling out SD WAN capabilities in its software, it did not force you to purchase new hardware.

All current MX series security appliances support SD WAN capabilities through a second uplink connection. While SD WAN is typically thought of as being used only with the Internet, Meraki’s SD WAN works equally well over higher-quality MPLS links too.

All Cisco Meraki devices must have a connection to the Internet for management. Unlike some other platforms, Meraki does not have a local on-premises management offering. This means even infrastructure devices like Meraki wireless access points that do not participate directly in providing client reachability to the Internet must still have Internet access themselves to be managed. Cisco does provide an extensive list of addresses and ports, though, so that you can lock these connections down with a firewall for enhanced security.

The management Internet connection is an important consideration when deploying Cisco Meraki SD WAN over MPLS connections. When you subscribe to an MPLS Layer 3 VPN service, Internet access is usually not included unless purchased as an additional service. Most often, MPLS L3VPN links are purchased strictly with site-to-site traffic in mind and a centralised Internet access model is used.

Sometimes Internet access can be purchased from your MPLS provider and delivered as a separate physical interface or VLAN that connects to your customer premises equipment (CPE) such as a Meraki MX appliance. Less commonly, Internet access may also be injected directly into the L3VPN through a carrier-provided default route or some form of centralised firewall service.

SD WAN with Cisco Meraki supports two uplinks. Both uplinks could be MPLS L3VPN connections, as long as at least one of them has some form of reachability to the Internet, but the most common deployment scenario of Meraki SD WAN over MPLS is with a single direct Internet connection and a single MPLS link. Without SD WAN, the MPLS link is used as a traditional routed connection across your network. You can specify which routes are reachable through the MPLS L3VPN with either static routing, or by using a routing protocol such as BGP.

When you configure SD WAN to be used with your MPLS link, an AutoVPN tunnel is established across the MPLS L3VPN to your other Meraki MX appliances in accordance with your configured topology. The default AutoVPN topology is full mesh with each MX appliance establishing a direct tunnel to all other MX appliances. Beyond a few sites, this presents scaling and efficiency limitations, so most companies that deploy Meraki SD WAN do so in a hub-and-spoke model where connectivity is centralised and potentially regionalised as well, depending on the size of the deployment.

With Cisco Meraki SD WAN, two AutoVPN tunnels are used, one per uplink, and traffic is distributed across both links simultaneously according to the defined traffic policy. For instance, there is a built-in policy called “Best for VoIP” where all real-time voice traffic is automatically sent on the link that has the best characteristics for successful voice traffic, such as low latency and jitter. In the context of using SD WAN with MPLS links, you have a much better chance of the MPLS link performing better than a general Internet link when it comes to voice traffic in particular.

Meraki SD WAN over MPLS

Most MPLS links are backed by a service level agreement (SLA) which guarantees a specific minimum level of performance. General Internet connections may have some level of guarantee in the form of availability (or uptime), but not with general performance due to the unpredictable nature of the Internet. This is why SLA-backed MPLS is still a very popular choice when network traffic must be delivered within specific constraints.

Larger SD WAN deployments usually involve datacentres and possible regionalised hubs. For these kinds of deployments, Cisco recommends using larger appliances capable of higher tunnel accounts deployed in what is known as “one-armed VPN concentrator” mode. With this configuration, the MX appliance does not connect to the Internet directly but terminates all of the AutoVPN sessions from the branch offices through a centralised Internet connection along with a connection to the MPLS L3VPN service.

Cisco Meraki MX appliances also support high availability device pairs, with one device active and the other in standby mode. Datacentres have physical infrastructures designed with redundancy and high-availability in mind, which makes the one-armed scenario possible. With this design, each Meraki MX appliance shares the IP address used for the VPN concentrator endpoint but uses the Virtual Router Redundancy Protocol (VRRP) so that only one device is active at a time and serving clients.

Deploying Cisco Meraki SD WAN over an MPLS link gives you the benefits of SD WAN with the added performance of MPLS. Network traffic automatically uses the best link based on policy, and you have very fast failover when one of the links becomes unavailable. The Meraki MX appliance constantly evaluates and verifies the AutoVPN connections by sending a 100-byte test packet once every second. Performance characteristics such as packet loss, delay, and jitter are constantly measured, and traffic profiles are adjusted accordingly so that your network traffic has the best chance of reaching the other end of the AutoVPN tunnel intact and on time.

One final advantage of deploying SD WAN using an Internet link and an MPLS L3VPN connection is that you can send general Internet-bound traffic directly over the Internet link instead of forcing it to traverse the MPLS connection. The Meraki MX appliance is first and foremost a security appliance and whitelisting certain Internet destinations for local Internet breakout is a good way to balance performance and send only your most important, time-critical traffic over the MPLS link. For example, if your organisation uses a trusted cloud-based software platform like Microsoft Office 365, it may be better to send that traffic directly to the Internet instead of using MPLS. Likewise, traffic destined to internal file servers should probably travel over the MPLS link, but with SD WAN you have instant failover should one of the two paths become unavailable or degraded.

Visit the Netify SASE Cybersecurity and SD WAN marketplace.

Get the data points you need to help with your SASE Cybersecurity and SD WAN decision making process.

Learn More

Suggested Posts

SD WAN Buyers Mindmap

Download the SD WAN Buyers Mind Map Feature Comparison Guide

Download the at-a-glance A3 PDF SD WAN Buyers Mindmap. Everything an IT decision making team need to consider when comparing vendors and managed service providers.

SD WAN Buyers Mind Map 2023

Your Mindmap is sent immediately. Complete the following information - check your junk folder if you do not receive the content within 2 minutes.

Download now

Compare solutions over MS Teams

Schedule your FREE SD WAN & SASE Cybersecurity IT buyers strategy session

If your business is looking to compare and evaluate SD WAN & SASE/SSE Cybersecurity, one of our experts will discuss your goals and review Gartner leaders, niche players and startups. (Includes DIY & Fully Managed services)

Please provide the following information and one of our North American or UK consultants will reach out to you soon.

Request session

Compare the SD WAN & SASE/SSE Market

The most successful Enterprises use free Netify comparison tools

Our free comparison tools have helped CDC, Permira, Square Enix, and British Legion —plus many smaller companies across North America and the UK (including Global locations).

Learn More

SD WAN & SASE/SSE Marketplace

Discover the provider and vendor research you need

Discover over 150  SD WAN & SASE/SSE service providers and vendors using the Netify Marketplace. Request sales PDF documents, get your local contact or book a demo.

Visit Marketplace

Medivet, CDC Global, British Legion, Permira & Tilney used the Playbook.

Download the SD WAN & SASE Cybersecurity Playbook

A comparison of SD WAN vendors & providers distilled into one page. WIth the key features you should consider.

Download our latest guides to SD WAN and SASE (Secure Access Service Edge) Cybersecurity with our IT Managers Mind Map checklist.

Download now

Subscribe to Notifications

Explore Topics

Popular Article Topics

Find articles and helpful resources about any of the following:

The Netify Learning Center

Learn more about comparison of SD WAN and SASE Cybersecurity with the Netify Learning Center.

See All Articles

Close popup
Close popup

Download our at-a-glance Mind Map which details the features, vendors and managed providers YOU MUST consider when comparing SD WAN & SASE Cyberscurity solutions.

Download

Download the SD WAN Buyers Mind Map. If you are comparing SD WAN vendors or managed providers, use this stunning at-a-glance guide with solution comparison and feature cheat sheet checklist.

Back
Download the SD WAN Buyers Mind Map. If you are comparing SD WAN vendors or managed providers, use this stunning at-a-glance guide with solution comparison and feature cheat sheet checklist.
Preview
If you enjoyed this preview, please enter your business email address and we'll email you a link.