Deploying SDWAN on a large scale

Solved
OB1
New here

Deploying SDWAN on a large scale

Currently we have two Datacenter's with around 50 customers. 

 

For Security reason. We have to install 1 device per customer.

 

Primary location.  1 MX 67  "Hub" 

Secondary 1 MX 67 "Hub"

 

One customer may have two locations.  So two spokes talking back to Primary and Secondary Hubs.

 

The hurdle is making sure one ORG can not see another.  Why we have to install 1 device per customer in the DC's .

 

 

Question=

 

Anyone know of a better deployment.  We was going to do on Prem VXM  but this is no longer an option.  Only Cloud.

Has anyone had similar deployments or hurdles and how did you over come them?

 

Thank you in advance.

1 Accepted Solution
ammahend
Building a reputation

I have done it with 2VMX in cloud and 20+ location, hairpin design , some have single MX some have HA, depending on site severity. In this case all of them are in same org, just different network. If each MX is in different ORG it won’t work because Meraki uses a service for vpn registry which registers each MX’s public and interface IP addresses. The Registry then uses this information with some logic to understand how to route between the various MXs, this lookup is limited to organization, not cross organization to best of my knowledge.

 

Additionally, Keep MX67 scalability in mind, you will need SD-WAN licenses which is highest tear, do a POC, use Meraki trial program 

View solution in original post

9 Replies 9
alemabrahao
Kind of a big deal
Kind of a big deal

Let me see if I understand correctly, you want to have the same HUB for Spokes in different organizations, is that it?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

If I could , because right now I have to have a singe MX hub for each customer so Org A can not see Org B.

 

I would love to terminate everyone to like a MX 250 but if I have 50 customers, those 50 customers CAN NOT see each other due to security restrictions. 

alemabrahao
Kind of a big deal
Kind of a big deal

What @ammahend  said is the most correct and viable.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ammahend
Building a reputation

I have done it with 2VMX in cloud and 20+ location, hairpin design , some have single MX some have HA, depending on site severity. In this case all of them are in same org, just different network. If each MX is in different ORG it won’t work because Meraki uses a service for vpn registry which registers each MX’s public and interface IP addresses. The Registry then uses this information with some logic to understand how to route between the various MXs, this lookup is limited to organization, not cross organization to best of my knowledge.

 

Additionally, Keep MX67 scalability in mind, you will need SD-WAN licenses which is highest tear, do a POC, use Meraki trial program 

OB1
New here

Thank you Ammahend for the information. 

How are you protecting network A from network B in the same Org? 

Also, was this in Azure? or AWS? and where did you funnel their web Traffic? 

 

alemabrahao
Kind of a big deal
Kind of a big deal

You can use Site-to-site VPN Firewall Rules.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Thank you. We have looked at this but there is a ton of entries needed to be added when we do the FW route.  1 customer may have 10-12 networks.

 

ammahend
Building a reputation

In my case it’s cisco hosted voip which uses VMX in cisco hosted cloud, I don’t know if they use any third part in backend.
But you can find VMX in AWS store

Or on Azure marketplace

PhilipDAth
Kind of a big deal
Kind of a big deal

You could consider deploying Cisco's virtualisation platform for networking -  NVIS (on a pair of servers, for example).  This allows you to run virtual MXs in your own DC.

 

https://community.meraki.com/t5/Feature-Announcements/Introducing-the-new-vMX-on-Cisco-NFVIS-for-Pri...

Get notified when there are additional replies to this discussion.