Meraki

Community

DC Design Approach

Ash443
Conversationalist
Friday
Friday

DC Design Approach

Reading the deployment and configuration guides, its recommended to deploy One-Armed VPN concentrator model for Hub site. What are the disadvantages if we deploy the MX in Routed Mode connected to Internet for a Hub location and to terminate VPNs ? I reckon there will be security issues as we expose it to internet but can't we use F/W rules to restrict traffic?

 

I am thinking below topology, is this a definite No for Hub sites ?

 

Ash443_3-1733496141662.png

 

 

 

0 Kudos
6 Replies 6
RWelch
A model citizen
Friday
Friday

Most of the time you deploy a VPN Spoke (MX) in Routed Mode and a VPN Hub (also a MX) in Concentrator mode.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
GreenMan
Meraki Employee
Meraki Employee
Friday
Friday

Definitely not a definite No - particularly as shown (you only show part of the AutoVPN)   😁

But there may be other aspects of the wider solution - and particularly as it grows / develops - where you find one-armed VPN Concentrator better suited / more flexible.

One key aspect here is that, for Data Centre type environments, we generally build any new functionality for VPNC mode.   A good example historically would be BGP.

In response to GreenMan
Ash443
Conversationalist
Sunday
Sunday

Thanks, I will keep in mind on any functionality diff b/w deployment modes 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
Friday
Friday

I use routed mode 90% of the time.

 

You would probably would use One armed VPN concentrator mode if:

  • You have an existing firewall.
  • You have an HA Internet setup (using something like BGP failover)
  • You have a layer 3 network core
  • You need OSPF to exchange routes.

You would probably use routed/NAT mode if:

  • You can plug the MX into more than one Internet circuit so the MX can provide Internet HA itself.
  • You need to support clients behind the MX accessing the Internet, or you want to be able to apply Meraki group policies to those users.
Ash443
Conversationalist
Sunday
Sunday

Thanks Philip, I have deployed few in the routed mode and was wondering on VPNC mode as Meraki docs suggested as recommended mode for Hubs. 

0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
Monday
Monday

Most importantly:
If you have 2 DC's in active active where you have overlapping IP address space.
You know in cases your VM's must be able to migrate between DC's and are probably using something like VXLAN between your DC's then you only have the option to use Concentrator mode because in routed mode you cannot have overlapping IP space.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.