Meraki

Community

Data Center design question

Colin1
Conversationalist
‎May 9 2019 1:18 PM
‎May 9 2019 1:18 PM

Data Center design question

Hi all, new to Meraki but have been doing network design for some time. After reading the documentation I am still confused on how to move forward on the data center.  We are mostly cloud based for infrastructure. The "Data Center" will have minimal kit and basically be a few circuits and our cloud Direct Connect and maybe some domain controllers. Our budget is limited so I would like the MX to still be able to use the firewall IDS/IPS capability while acting as the SD-WAN VPN Concentrator. I find that information is a little lacking. I was thinking of something like below with the MX in NAT mode concentrator mode, would that work for our minimal needs?

 

0 Kudos
5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 9 2019 1:45 PM
‎May 9 2019 1:45 PM

You have a number of choices.

 

You could run the MX250's in NAT mode (just like a branch).  This lets you use IPS and content fitlering.  This is the approach I use the most.  Note that dynamic routing protocols are mostly disabled in this configuration - but you should only need a default route pointing towards them from Cisco switch core.

 

You could run the MX250's in passthrough mode.  It acts like a layer 2 bridge in this case.  You can still do IPS and content filtering.

https://documentation.meraki.com/MX/Networks_and_Routing/Passthrough_Mode_on_the_MX_Security_Applian...

 

If you use VPN concentrator mode the MXs run "on a stack" and you loose most security capabilities.  They basically just do VPN concentration.

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide

In response to PhilipDAth
Colin1
Conversationalist
‎May 9 2019 1:58 PM
‎May 9 2019 1:58 PM

So a MX in routed mode will still allow the active-active SD-WAN connectivity? My interpretation made it seem like you needed a VPN concentrator. If that's the case your first option would make the most sense with the added bonus of not actually needing the ISRs on the outside as we just need a static route to our ISP and the MX would handle the NAT.

0 Kudos
In response to Colin1
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 9 2019 2:02 PM
‎May 9 2019 2:02 PM

>So a MX in routed mode will still allow the active-active SD-WAN connectivity?

 

You will get active/active between the two WAN ports (as long as they are in different subnets) - yes.  Typically you would have each WAN port connected to a different ISP.

In fact, tyhe SD-WAN capabilities are strongest when using NAT mode.

0 Kudos
In response to PhilipDAth
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 9 2019 2:03 PM
‎May 9 2019 2:03 PM

ps. I often use a single "premium" ISP connection for one WAN connection, and a second cheap ISP connection as a backup.

You really want to use active/active I would lean towards using two premium connections.

0 Kudos
In response to PhilipDAth
Colin1
Conversationalist
‎May 9 2019 2:08 PM
‎May 9 2019 2:08 PM

Yeah the plan was a DIA type circuit with primary and a business class broadband as secondary but would like to achieve active active if possible, with dedicated VoIP and corporate traffic over the DIA and normal Internet surfing off the broadband.

Thanks much for the help.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.