Data Center One Armed Design and Security

Solved
Happiman
Building a reputation

Data Center One Armed Design and Security

I was designing a data center with Meraki's recommendation.

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide

 

It is an one-armed VPN concentrator method which I turned on OSPF to advertise routes dynamically.

 

 

Now I just wonder if all the servers in the DC, which are on the different VLAN to Meraki MX are still protected by MX's content

One-Armed VPN  ConcentratorOne-Armed VPN Concentrator

filtering and traffic shaping.

1 Accepted Solution
NolanHerring
Kind of a big deal

You can use a separate ORG to separate the license portion but I know what you mean. It does seem silly
Nolan Herring | nolanwifi.com
TwitterLinkedIn

View solution in original post

13 Replies 13
Ben
A model citizen

I would assume they are protected by the Cisco ASA in the topology.

 

jdsilva
Kind of a big deal

Not really. Once an MX is in concentrator mode it'll only ever see VPN traffic that needs to pass through it. You'll still want to have another security device that catches the non-VPN traffic for policy enforcement. 

 

 

Happiman
Building a reputation

If I don't need any advanced security feature, then I will need to get a Enterprise license instead, right?

NolanHerring
Kind of a big deal

Only two options available (enterprise vs advanced) but keep it in mind that its org wide so if you commit to advanced, then all your future MX purchases will need advanced license
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Happiman
Building a reputation

That's what I found and it is VERY, VERY annoying. For the data center class MX, the price difference is over 10K for 5 year license.

NolanHerring
Kind of a big deal

You can use a separate ORG to separate the license portion but I know what you mean. It does seem silly
Nolan Herring | nolanwifi.com
TwitterLinkedIn
PhilipDAth
Kind of a big deal
Kind of a big deal

>You can use a separate ORG to separate the license portion but I know what you mean. It does seem silly

 

Not if you also want to use AutoVPN ...

NolanHerring
Kind of a big deal

Correct Phil

 

Was just referring to his gripe about the licensing model being ORG wide. As this was something I also found out the hard way =(

 

For reference if you need it @Happiman

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_between_MX_Applian...

Nolan Herring | nolanwifi.com
TwitterLinkedIn
Happiman
Building a reputation

Tech support seems happy to know that  I was wasting money when I was using the commanded design and no response after my last question.
MX techsupport.jpg 

jdsilva
Kind of a big deal

@Happiman You do know that you can terminate VPNs on an MX while it's in routed mode, yes? You do not have to put it in concentrator mode just to do VPN.

Happiman
Building a reputation

Yes, I used to use the routed mode but to make the route advertisement more dynamic with OSPF, as Meraki Recommands, I will use the concentrator mode.

jdsilva
Kind of a big deal

@Happiman OK, but you can also use OSPF in routed mode (as long as you don't have VLANs enabled).

Happiman
Building a reputation

yes but it's all about the data center design. As we all know, Meraki lacks many advanced firewall/VPN features, such as policyNAT VPN etc..., I cannot use it as I use ASA in the DC. Its role remains as an AutoVPN termination point in the data center.

Get notified when there are additional replies to this discussion.