Anyone using this topology in DC or Central office?

Solved
GregLiu
Here to help

Anyone using this topology in DC or Central office?

Hi team,

 

Anyone using below topology for DC or Central office HUBs, Primary and Secondary for the WAN connection, the Concentrator for the BGP autovpn, then the concentrator ebgp peering with existing IOS core network:

 

GregLiu_0-1616744337634.png

 

Seems it is recommended by the CVD 🙂

 

Cheers,

Greg 

 

1 Accepted Solution
Bruce
Kind of a big deal

I think that diagram is slightly misleading. The primary and secondary MX shown are the two that make up the HA VPN concentrator pair that is shown in the middle - the one in the middle representing the VIP that moves between the two MXs.

 

That said, using a couple of MXs to terminate WAN connections (or any other vendor’s firewall), and a MX VPN concentrator behind them to terminate SD-WAN connectivity is a valid design. But if you’re using only internet for your SD-WAN underlay why not use use the MX devices that terminate the WAN connection as your SD-WAN hub? VPN concentrator makes sense if you have MPLS circuits in the mix, not necessarily if everything is internet based. You need to consider the path your tunnels will be built across carefully, and what you are trying to achieve.

View solution in original post

3 Replies 3
Inderdeep
Kind of a big deal
Kind of a big deal

This is CVD right 🙂 

I saw most of times organization use this topology Datacenter Redundancy (DC-DC Failover)

 

Regards

Inderdeep

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
Bruce
Kind of a big deal

I think that diagram is slightly misleading. The primary and secondary MX shown are the two that make up the HA VPN concentrator pair that is shown in the middle - the one in the middle representing the VIP that moves between the two MXs.

 

That said, using a couple of MXs to terminate WAN connections (or any other vendor’s firewall), and a MX VPN concentrator behind them to terminate SD-WAN connectivity is a valid design. But if you’re using only internet for your SD-WAN underlay why not use use the MX devices that terminate the WAN connection as your SD-WAN hub? VPN concentrator makes sense if you have MPLS circuits in the mix, not necessarily if everything is internet based. You need to consider the path your tunnels will be built across carefully, and what you are trying to achieve.

GregLiu
Here to help

Agreed that there is a misleading on this picture.

 

Make sense, two MXs in front of the MX concentrator HA pair, then the ebgp can be utilized to Big office internal network or Datacenter internal core, and autovpn ibgp as wan fibric network :).

 

Let say, the front MX working as firewalls, inspect traffic for DIA and internet underlay path resilience, and this will allow to use full feature sets of the firewalls functions, and the concentrator HA pair designed for terminating the autovpn fibric connections only.

 

However, if the routed mode MX can keep all feature sets, then converge the front end MX and concentrator HA pair into one pair will save two front end MX or firewalls :).

 

 

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels