This could be a dumb question, but here goes...
We're about to deploy 125+/- MX devices to replace Brand X firewalls. In several locations we have a Cisco 2811 (ancient we know) behind the firewall using up to 4 VLANs. One of those subnets is on the inside of the firewall and the rest are inside the router. We have routes on the firewall to those other VLANs.
Our topology will be
MX450 HA pair
With the MX65 networks using a template I can't put routes on the individual network so am I right that the routes will have to go on the MX450s with the next hop being the single subnet on the MX65W?
From this can you see a better way?
If you are going to Site-to-Site VPN them together you won't have to add the routes for each site. It'll populate as part of the tunnel participation.
I should've also mentioned that we're blocking the data subnets from talking to each other while letting the voice subnets go through
You simply specify that the data network don't use the VPN while voice subnets do in Routing page.
For the most part they are little more than switches now. Most of our voice is SIP now. We're deploying quickly without making other changes since our support contract just expired with Brand X. As well there are other dependencies we'd have to resolve before eliminating the 2811s and letting the MX handle the VLAN.
Thanks all. This was a rabbit hole I entered.
We're creating the needed vlans in the template and then modifying as needed in the network.
I need some mental breadcrumbs for next time...