cancel
Showing results for 
Search instead for 
Did you mean: 

Data Center One Armed Design and Security

SOLVED
Highlighted
Getting noticed

Data Center One Armed Design and Security

I was designing a data center with Meraki's recommendation.

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide

 

It is an one-armed VPN concentrator method which I turned on OSPF to advertise routes dynamically.

 

 

Now I just wonder if all the servers in the DC, which are on the different VLAN to Meraki MX are still protected by MX's content

One-Armed MX Design.jpgOne-Armed VPN Concentrator

filtering and traffic shaping.

1 ACCEPTED SOLUTION

Accepted Solutions
Head in the Cloud

Re: Data Center One Armed Design and Security

You can use a separate ORG to separate the license portion but I know what you mean. It does seem silly
Nolan Herring | nolanwifi.com
TwitterLinkedIn
13 REPLIES
Ben
Building a reputation

Re: Data Center One Armed Design and Security

I would assume they are protected by the Cisco ASA in the topology.

 

Kind of a big deal

Re: Data Center One Armed Design and Security

Not really. Once an MX is in concentrator mode it'll only ever see VPN traffic that needs to pass through it. You'll still want to have another security device that catches the non-VPN traffic for policy enforcement. 

 

 

Getting noticed

Re: Data Center One Armed Design and Security

If I don't need any advanced security feature, then I will need to get a Enterprise license instead, right?

Head in the Cloud

Re: Data Center One Armed Design and Security

Only two options available (enterprise vs advanced) but keep it in mind that its org wide so if you commit to advanced, then all your future MX purchases will need advanced license
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Getting noticed

Re: Data Center One Armed Design and Security

That's what I found and it is VERY, VERY annoying. For the data center class MX, the price difference is over 10K for 5 year license.

Head in the Cloud

Re: Data Center One Armed Design and Security

You can use a separate ORG to separate the license portion but I know what you mean. It does seem silly
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Kind of a big deal

Re: Data Center One Armed Design and Security

>You can use a separate ORG to separate the license portion but I know what you mean. It does seem silly

 

Not if you also want to use AutoVPN ...

Head in the Cloud

Re: Data Center One Armed Design and Security

Correct Phil

 

Was just referring to his gripe about the licensing model being ORG wide. As this was something I also found out the hard way =(

 

For reference if you need it @Happiman

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_between_MX_Applian...

Nolan Herring | nolanwifi.com
TwitterLinkedIn
Getting noticed

Re: Data Center One Armed Design and Security

Tech support seems happy to know that  I was wasting money when I was using the commanded design and no response after my last question.
MX techsupport.jpg 

Kind of a big deal

Re: Data Center One Armed Design and Security

@Happiman You do know that you can terminate VPNs on an MX while it's in routed mode, yes? You do not have to put it in concentrator mode just to do VPN.

Getting noticed

Re: Data Center One Armed Design and Security

Yes, I used to use the routed mode but to make the route advertisement more dynamic with OSPF, as Meraki Recommands, I will use the concentrator mode.

Kind of a big deal

Re: Data Center One Armed Design and Security

@Happiman OK, but you can also use OSPF in routed mode (as long as you don't have VLANs enabled).

Getting noticed

Re: Data Center One Armed Design and Security

yes but it's all about the data center design. As we all know, Meraki lacks many advanced firewall/VPN features, such as policyNAT VPN etc..., I cannot use it as I use ASA in the DC. Its role remains as an AutoVPN termination point in the data center.