Anyone using this topology in DC or Central office?

SOLVED
GregLiu
Here to help

Anyone using this topology in DC or Central office?

Hi team,

 

Anyone using below topology for DC or Central office HUBs, Primary and Secondary for the WAN connection, the Concentrator for the BGP autovpn, then the concentrator ebgp peering with existing IOS core network:

 

GregLiu_0-1616744337634.png

 

Seems it is recommended by the CVD 🙂

 

Cheers,

Greg 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Bruce
Kind of a big deal

Re: Anyone using this topology in DC or Central office?

I think that diagram is slightly misleading. The primary and secondary MX shown are the two that make up the HA VPN concentrator pair that is shown in the middle - the one in the middle representing the VIP that moves between the two MXs.

 

That said, using a couple of MXs to terminate WAN connections (or any other vendor’s firewall), and a MX VPN concentrator behind them to terminate SD-WAN connectivity is a valid design. But if you’re using only internet for your SD-WAN underlay why not use use the MX devices that terminate the WAN connection as your SD-WAN hub? VPN concentrator makes sense if you have MPLS circuits in the mix, not necessarily if everything is internet based. You need to consider the path your tunnels will be built across carefully, and what you are trying to achieve.

View solution in original post

3 REPLIES 3
Inderdeep
Head in the Cloud

Re: Anyone using this topology in DC or Central office?

This is CVD right 🙂 

I saw most of times organization use this topology Datacenter Redundancy (DC-DC Failover)

 

Regards

Inderdeep

Regards
Inderdeep Singh
www.thenetworkdna.com
Bruce
Kind of a big deal

Re: Anyone using this topology in DC or Central office?

I think that diagram is slightly misleading. The primary and secondary MX shown are the two that make up the HA VPN concentrator pair that is shown in the middle - the one in the middle representing the VIP that moves between the two MXs.

 

That said, using a couple of MXs to terminate WAN connections (or any other vendor’s firewall), and a MX VPN concentrator behind them to terminate SD-WAN connectivity is a valid design. But if you’re using only internet for your SD-WAN underlay why not use use the MX devices that terminate the WAN connection as your SD-WAN hub? VPN concentrator makes sense if you have MPLS circuits in the mix, not necessarily if everything is internet based. You need to consider the path your tunnels will be built across carefully, and what you are trying to achieve.

View solution in original post

GregLiu
Here to help

Re: Anyone using this topology in DC or Central office?

Agreed that there is a misleading on this picture.

 

Make sense, two MXs in front of the MX concentrator HA pair, then the ebgp can be utilized to Big office internal network or Datacenter internal core, and autovpn ibgp as wan fibric network :).

 

Let say, the front MX working as firewalls, inspect traffic for DIA and internet underlay path resilience, and this will allow to use full feature sets of the firewalls functions, and the concentrator HA pair designed for terminating the autovpn fibric connections only.

 

However, if the routed mode MX can keep all feature sets, then converge the front end MX and concentrator HA pair into one pair will save two front end MX or firewalls :).

 

 

 

 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.