Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Deploying SDWAN on a large scale

Solved
OB1
New here
Friday
Friday

Deploying SDWAN on a large scale

Currently we have two Datacenter's with around 50 customers. 

 

For Security reason. We have to install 1 device per customer.

 

Primary location.  1 MX 67  "Hub" 

Secondary 1 MX 67 "Hub"

 

One customer may have two locations.  So two spokes talking back to Primary and Secondary Hubs.

 

The hurdle is making sure one ORG can not see another.  Why we have to install 1 device per customer in the DC's .

 

 

Question=

 

Anyone know of a better deployment.  We was going to do on Prem VXM  but this is no longer an option.  Only Cloud.

Has anyone had similar deployments or hurdles and how did you over come them?

 

Thank you in advance.

0 Kudos
Subscribe
1 Accepted Solution
ammahend
Getting noticed
Friday
Friday

I have done it with 2VMX in cloud and 20+ location, hairpin design , some have single MX some have HA, depending on site severity. In this case all of them are in same org, just different network. If each MX is in different ORG it won’t work because Meraki uses a service for vpn registry which registers each MX’s public and interface IP addresses. The Registry then uses this information with some logic to understand how to route between the various MXs, this lookup is limited to organization, not cross organization to best of my knowledge.

 

Additionally, Keep MX67 scalability in mind, you will need SD-WAN licenses which is highest tear, do a POC, use Meraki trial program 

View solution in original post

0 Kudos
Subscribe
9 Replies 9
alemabrahao
Kind of a big deal
Kind of a big deal
Friday
Friday

Let me see if I understand correctly, you want to have the same HUB for Spokes in different organizations, is that it?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
OB1
New here
Friday
Friday

If I could , because right now I have to have a singe MX hub for each customer so Org A can not see Org B.

 

I would love to terminate everyone to like a MX 250 but if I have 50 customers, those 50 customers CAN NOT see each other due to security restrictions. 

0 Kudos
Subscribe
In response to OB1
alemabrahao
Kind of a big deal
Kind of a big deal
Friday
Friday

What @ammahend  said is the most correct and viable.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
ammahend
Getting noticed
Friday
Friday

I have done it with 2VMX in cloud and 20+ location, hairpin design , some have single MX some have HA, depending on site severity. In this case all of them are in same org, just different network. If each MX is in different ORG it won’t work because Meraki uses a service for vpn registry which registers each MX’s public and interface IP addresses. The Registry then uses this information with some logic to understand how to route between the various MXs, this lookup is limited to organization, not cross organization to best of my knowledge.

 

Additionally, Keep MX67 scalability in mind, you will need SD-WAN licenses which is highest tear, do a POC, use Meraki trial program 

0 Kudos
Subscribe
OB1
New here
Friday
Friday

Thank you Ammahend for the information. 

How are you protecting network A from network B in the same Org? 

Also, was this in Azure? or AWS? and where did you funnel their web Traffic? 

 

0 Kudos
Subscribe
In response to OB1
alemabrahao
Kind of a big deal
Kind of a big deal
Friday
Friday

You can use Site-to-site VPN Firewall Rules.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
OB1
New here
Friday
Friday

Thank you. We have looked at this but there is a ton of entries needed to be added when we do the FW route.  1 customer may have 10-12 networks.

 

0 Kudos
Subscribe
In response to OB1
ammahend
Getting noticed
Friday
Friday

In my case it’s cisco hosted voip which uses VMX in cisco hosted cloud, I don’t know if they use any third part in backend.
But you can find VMX in AWS store

Or on Azure marketplace

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
Friday
Friday

You could consider deploying Cisco's virtualisation platform for networking -  NVIS (on a pair of servers, for example).  This allows you to run virtual MXs in your own DC.

 

https://community.meraki.com/t5/Feature-Announcements/Introducing-the-new-vMX-on-Cisco-NFVIS-for-Pri...

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.