Routed or One-Arm Concentrator

RobbieCFSFL
New here

Routed or One-Arm Concentrator

We currently have an MX85 behind an MX450 that only connects to an Azure VPN that feeds it back to the MX450 lan. The MX85 is in routed mode. After doing some reading, I'm seeing that we might be better off just having that MX85 in one-arm concentrator mode since nothing else will be connecting behind the MX85.

 

Is one-arm concentrator best practice for this application? Other than bypassing having the MX85 having a firewall, are there any other advantages?

 

Thank you for any help and time you spend answering.

4 Replies 4
jimmyt234
Building a reputation

I was more thinking what is the point in the MX85 at all, can the MX450 not support your VPN requirements..?

According to the Meraki team, if we want to provide that VPN connection to branch sites in the SD wan, there needs to be a router serving the tunnel on the Lan side of the mx450. We do not want each branch site to create a tunnel to Azure and instead want to serve tunnel at the datacenter only - which will serve the tunnel to the branch sites.

jimmyt234
Building a reputation

Ah, in that case yes I see what you are doing and would agree with @ConnorLeedy that I would be deploying it in one-arm mode.

 

Although personally I would be deploying a vMX in Azure any letting all my branches talk to it directly - but I presume you have your reasons to not do this!

ConnorLeedy
Meraki Employee
Meraki Employee

If this is something you want to do, then yes, it would make more sense to put the downstream MX into one-arm concentrator mode since there is no need for it to perform any routing / NAT.

If this was helpful, click the Kudos button. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.