Not really. Once an MX is in concentrator mode it'll only ever see VPN traffic that needs to pass through it. You'll still want to have another security device that catches the non-VPN traffic for policy enforcement. 

 

 

If I don't need any advanced security feature, then I will need to get a Enterprise license instead, right?

Only two options available (enterprise vs advanced) but keep it in mind that its org wide so if you commit to advanced, then all your future MX purchases will need advanced license

That's what I found and it is VERY, VERY annoying. For the data center class MX, the price difference is over 10K for 5 year license.

>You can use a separate ORG to separate the license portion but I know what you mean. It does seem silly

 

Not if you also want to use AutoVPN ...

Correct Phil

 

Was just referring to his gripe about the licensing model being ORG wide. As this was something I also found out the hard way =(

 

For reference if you need it @Happiman

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_between_MX_Applian...

Tech support seems happy to know that  I was wasting money when I was using the commanded design and no response after my last question.
 

@Happiman You do know that you can terminate VPNs on an MX while it's in routed mode, yes? You do not have to put it in concentrator mode just to do VPN.

Yes, I used to use the routed mode but to make the route advertisement more dynamic with OSPF, as Meraki Recommands, I will use the concentrator mode.

@Happiman OK, but you can also use OSPF in routed mode (as long as you don't have VLANs enabled).

yes but it's all about the data center design. As we all know, Meraki lacks many advanced firewall/VPN features, such as policyNAT VPN etc..., I cannot use it as I use ASA in the DC. Its role remains as an AutoVPN termination point in the data center.