Meraki

RobbieCFSFL · ‎Jul 15 2024

We currently have an MX85 behind an MX450 that only connects to an Azure VPN that feeds it back to the MX450 lan. The MX85 is in routed mode. After doing some reading, I'm seeing that we might be better off just having that MX85 in one-arm concentrator mode since nothing else will be connecting behind the MX85.

Is one-arm concentrator best practice for this application? Other than bypassing having the MX85 having a firewall, are there any other advantages?

Thank you for any help and time you spend answering.

jimmyt234 · ‎Jul 15 2024

I was more thinking what is the point in the MX85 at all, can the MX450 not support your VPN requirements..?

RobbieCFSFL · ‎Jul 15 2024

According to the Meraki team, if we want to provide that VPN connection to branch sites in the SD wan, there needs to be a router serving the tunnel on the Lan side of the mx450. We do not want each branch site to create a tunnel to Azure and instead want to serve tunnel at the datacenter only - which will serve the tunnel to the branch sites.

jimmyt234 · ‎Jul 16 2024

Ah, in that case yes I see what you are doing and would agree with @ConnorLeedy that I would be deploying it in one-arm mode.

Although personally I would be deploying a vMX in Azure any letting all my branches talk to it directly - but I presume you have your reasons to not do this!

ConnorLeedy · ‎Jul 15 2024

If this is something you want to do, then yes, it would make more sense to put the downstream MX into one-arm concentrator mode since there is no need for it to perform any routing / NAT.

If this was helpful, click the Kudos button. If my answer solved your problem, click "accept as solution" so that others can benefit from it.

Meraki

Community

Routed or One-Arm Concentrator

Routed or One-Arm Concentrator