Meraki

Community

DC Design Approach

Ash443
Conversationalist
‎Dec 6 2024 6:42 AM
‎Dec 6 2024 6:42 AM

DC Design Approach

Reading the deployment and configuration guides, its recommended to deploy One-Armed VPN concentrator model for Hub site. What are the disadvantages if we deploy the MX in Routed Mode connected to Internet for a Hub location and to terminate VPNs ? I reckon there will be security issues as we expose it to internet but can't we use F/W rules to restrict traffic?

 

I am thinking below topology, is this a definite No for Hub sites ?

 

Ash443_3-1733496141662.png

 

 

 

0 Kudos
6 Replies 6
RWelch
Kind of a big deal
Kind of a big deal
‎Dec 6 2024 6:55 AM
‎Dec 6 2024 6:55 AM

Most of the time you deploy a VPN Spoke (MX) in Routed Mode and a VPN Hub (also a MX) in Concentrator mode.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
GreenMan
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Dec 6 2024 6:56 AM
‎Dec 6 2024 6:56 AM

Definitely not a definite No - particularly as shown (you only show part of the AutoVPN)   😁

But there may be other aspects of the wider solution - and particularly as it grows / develops - where you find one-armed VPN Concentrator better suited / more flexible.

One key aspect here is that, for Data Centre type environments, we generally build any new functionality for VPNC mode.   A good example historically would be BGP.

In response to GreenMan
Ash443
Conversationalist
‎Dec 8 2024 3:03 AM
‎Dec 8 2024 3:03 AM

Thanks, I will keep in mind on any functionality diff b/w deployment modes 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 6 2024 7:03 PM
‎Dec 6 2024 7:03 PM

I use routed mode 90% of the time.

 

You would probably would use One armed VPN concentrator mode if:

  • You have an existing firewall.
  • You have an HA Internet setup (using something like BGP failover)
  • You have a layer 3 network core
  • You need OSPF to exchange routes.

You would probably use routed/NAT mode if:

  • You can plug the MX into more than one Internet circuit so the MX can provide Internet HA itself.
  • You need to support clients behind the MX accessing the Internet, or you want to be able to apply Meraki group policies to those users.
Ash443
Conversationalist
‎Dec 8 2024 3:08 AM
‎Dec 8 2024 3:08 AM

Thanks Philip, I have deployed few in the routed mode and was wondering on VPNC mode as Meraki docs suggested as recommended mode for Hubs. 

0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Dec 9 2024 11:37 AM
‎Dec 9 2024 11:37 AM

Most importantly:
If you have 2 DC's in active active where you have overlapping IP address space.
You know in cases your VM's must be able to migrate between DC's and are probably using something like VXLAN between your DC's then you only have the option to use Concentrator mode because in routed mode you cannot have overlapping IP space.

li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.