Currently we have two Datacenter's with around 50 customers.
For Security reason. We have to install 1 device per customer.
Primary location. 1 MX 67 "Hub"
Secondary 1 MX 67 "Hub"
One customer may have two locations. So two spokes talking back to Primary and Secondary Hubs.
The hurdle is making sure one ORG can not see another. Why we have to install 1 device per customer in the DC's .
Question=
Anyone know of a better deployment. We was going to do on Prem VXM but this is no longer an option. Only Cloud.
Has anyone had similar deployments or hurdles and how did you over come them?
Thank you in advance.
Solved! Go to solution.
I have done it with 2VMX in cloud and 20+ location, hairpin design , some have single MX some have HA, depending on site severity. In this case all of them are in same org, just different network. If each MX is in different ORG it won’t work because Meraki uses a service for vpn registry which registers each MX’s public and interface IP addresses. The Registry then uses this information with some logic to understand how to route between the various MXs, this lookup is limited to organization, not cross organization to best of my knowledge.
Additionally, Keep MX67 scalability in mind, you will need SD-WAN licenses which is highest tear, do a POC, use Meraki trial program
Let me see if I understand correctly, you want to have the same HUB for Spokes in different organizations, is that it?
If I could , because right now I have to have a singe MX hub for each customer so Org A can not see Org B.
I would love to terminate everyone to like a MX 250 but if I have 50 customers, those 50 customers CAN NOT see each other due to security restrictions.
What @ammahend said is the most correct and viable.
I have done it with 2VMX in cloud and 20+ location, hairpin design , some have single MX some have HA, depending on site severity. In this case all of them are in same org, just different network. If each MX is in different ORG it won’t work because Meraki uses a service for vpn registry which registers each MX’s public and interface IP addresses. The Registry then uses this information with some logic to understand how to route between the various MXs, this lookup is limited to organization, not cross organization to best of my knowledge.
Additionally, Keep MX67 scalability in mind, you will need SD-WAN licenses which is highest tear, do a POC, use Meraki trial program
Thank you Ammahend for the information.
How are you protecting network A from network B in the same Org?
Also, was this in Azure? or AWS? and where did you funnel their web Traffic?
You can use Site-to-site VPN Firewall Rules.
https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior
Thank you. We have looked at this but there is a ton of entries needed to be added when we do the FW route. 1 customer may have 10-12 networks.
In my case it’s cisco hosted voip which uses VMX in cisco hosted cloud, I don’t know if they use any third part in backend.
But you can find VMX in AWS store
Or on Azure marketplace
You could consider deploying Cisco's virtualisation platform for networking - NVIS (on a pair of servers, for example). This allows you to run virtual MXs in your own DC.