Netify have released our 2024 SD-WAN comparison blog article

How to deploy Meraki SD WAN over MPLS?

How to deploy Meraki SD WAN over MPLS?

How our Compare the Market Quiz can help you find the best fit SD-WAN Vendors

  • Answer 10 questions to find out which SD-WAN solution fits your business
  • Learn why each solution is a match for your business
  • Used by companies including CDC, Permira, Square Enix, British Legion and more
  • Totally free to use without commitment

Compare the SD-WAN Market

As one of the first cloud-managed, orchestration-based routing platforms, Cisco Meraki was in a prime position to have an SD WAN offering from the beginning. Unlike a lot of other companies, when Meraki started rolling out SD WAN capabilities in its software, it did not force you to purchase new hardware.

All current MX series security appliances support SD WAN capabilities through a second uplink connection. While SD WAN is typically thought of as being used only with the Internet, Meraki’s SD WAN works equally well over higher-quality MPLS links too.

All Cisco Meraki devices must have a connection to the Internet for management. Unlike some other platforms, Meraki does not have a local on-premises management offering. This means even infrastructure devices like Meraki wireless access points that do not participate directly in providing client reachability to the Internet must still have Internet access themselves to be managed. Cisco does provide an extensive list of addresses and ports, though, so that you can lock these connections down with a firewall for enhanced security.

The management Internet connection is an important consideration when deploying Cisco Meraki SD WAN over MPLS connections. When you subscribe to an MPLS Layer 3 VPN service, Internet access is usually not included unless purchased as an additional service. Most often, MPLS L3VPN links are purchased strictly with site-to-site traffic in mind and a centralised Internet access model is used.

Sometimes Internet access can be purchased from your MPLS provider and delivered as a separate physical interface or VLAN that connects to your customer premises equipment (CPE) such as a Meraki MX appliance. Less commonly, Internet access may also be injected directly into the L3VPN through a carrier-provided default route or some form of centralised firewall service.

SD WAN with Cisco Meraki supports two uplinks. Both uplinks could be MPLS L3VPN connections, as long as at least one of them has some form of reachability to the Internet, but the most common deployment scenario of Meraki SD WAN over MPLS is with a single direct Internet connection and a single MPLS link. Without SD WAN, the MPLS link is used as a traditional routed connection across your network. You can specify which routes are reachable through the MPLS L3VPN with either static routing, or by using a routing protocol such as BGP.

When you configure SD WAN to be used with your MPLS link, an AutoVPN tunnel is established across the MPLS L3VPN to your other Meraki MX appliances in accordance with your configured topology. The default AutoVPN topology is full mesh with each MX appliance establishing a direct tunnel to all other MX appliances. Beyond a few sites, this presents scaling and efficiency limitations, so most companies that deploy Meraki SD WAN do so in a hub-and-spoke model where connectivity is centralised and potentially regionalised as well, depending on the size of the deployment.

With Cisco Meraki SD WAN, two AutoVPN tunnels are used, one per uplink, and traffic is distributed across both links simultaneously according to the defined traffic policy. For instance, there is a built-in policy called “Best for VoIP” where all real-time voice traffic is automatically sent on the link that has the best characteristics for successful voice traffic, such as low latency and jitter. In the context of using SD WAN with MPLS links, you have a much better chance of the MPLS link performing better than a general Internet link when it comes to voice traffic in particular.

Meraki SD WAN over MPLS

Most MPLS links are backed by a service level agreement (SLA) which guarantees a specific minimum level of performance. General Internet connections may have some level of guarantee in the form of availability (or uptime), but not with general performance due to the unpredictable nature of the Internet. This is why SLA-backed MPLS is still a very popular choice when network traffic must be delivered within specific constraints.

Larger SD WAN deployments usually involve datacentres and possible regionalised hubs. For these kinds of deployments, Cisco recommends using larger appliances capable of higher tunnel accounts deployed in what is known as “one-armed VPN concentrator” mode. With this configuration, the MX appliance does not connect to the Internet directly but terminates all of the AutoVPN sessions from the branch offices through a centralised Internet connection along with a connection to the MPLS L3VPN service.

Cisco Meraki MX appliances also support high availability device pairs, with one device active and the other in standby mode. Datacentres have physical infrastructures designed with redundancy and high-availability in mind, which makes the one-armed scenario possible. With this design, each Meraki MX appliance shares the IP address used for the VPN concentrator endpoint but uses the Virtual Router Redundancy Protocol (VRRP) so that only one device is active at a time and serving clients.

Deploying Cisco Meraki SD WAN over an MPLS link gives you the benefits of SD WAN with the added performance of MPLS. Network traffic automatically uses the best link based on policy, and you have very fast failover when one of the links becomes unavailable. The Meraki MX appliance constantly evaluates and verifies the AutoVPN connections by sending a 100-byte test packet once every second. Performance characteristics such as packet loss, delay, and jitter are constantly measured, and traffic profiles are adjusted accordingly so that your network traffic has the best chance of reaching the other end of the AutoVPN tunnel intact and on time.

One final advantage of deploying SD WAN using an Internet link and an MPLS L3VPN connection is that you can send general Internet-bound traffic directly over the Internet link instead of forcing it to traverse the MPLS connection. The Meraki MX appliance is first and foremost a security appliance and whitelisting certain Internet destinations for local Internet breakout is a good way to balance performance and send only your most important, time-critical traffic over the MPLS link. For example, if your organisation uses a trusted cloud-based software platform like Microsoft Office 365, it may be better to send that traffic directly to the Internet instead of using MPLS. Likewise, traffic destined to internal file servers should probably travel over the MPLS link, but with SD WAN you have instant failover should one of the two paths become unavailable or degraded.

The 3 Tools You Need To Compare UK SD WAN Providers And Vendors.

  1. SD WAN Comparison Tool - Answer 10 questions to find your match.
  2. Read SD WAN Research - We've listed 25+ Solutions.
  3. Get the Guide - Top/Best SD WAN Vendors and Providers.

Suggested Posts

SD WAN Buyers Mindmap

Download the SD WAN Buyers Mind Map Feature Comparison Guide

Download the at-a-glance A3 PDF SD WAN Buyers Mindmap. Everything an IT decision making team need to consider when comparing vendors and managed service providers.

SD WAN Buyers Mind Map 2023

Your Mindmap is sent immediately. Complete the following information - check your junk folder if you do not receive the content within 2 minutes.

Download now

Explore Topics

Popular Article Topics

Find articles and helpful resources about any of the following:

Subscribe to Notifications

The Netify Learning Center

Learn more about comparison of SD WAN and SASE Cybersecurity with the Netify Learning Center.

See All Articles

Download the SD WAN Playbook

A comparison of SD WAN vendors & providers distilled into one page.

With the key features you should consider. And, build a vendor shortlist in less than 60 seconds with our comparison tool.