Data centre SD-WAN VPN concentrator design with MPLS and Internet

Solved
Jonesaus
Conversationalist

Data centre SD-WAN VPN concentrator design with MPLS and Internet

Hi,

 

quick question on how to design and deploy this, when you have a VPN concentrator in a DC, and each branch and the data centres have an MPLS and an Internet link each, do you still configure the VPN concentrator with 1 uplink interface, then it will form 2 tunnels to each branch over this 1 interface, or do you configure 2 interfaces (ie one for internet tunnel and one for MPLS tunnel)

 

seems to me only 1 is required, but just want some confirmation.

 

 

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

Both options are valid.

 

Cisco Meraki's recommend design uses the single interface at the DC.

I personally do my deployments using 2 interfaces so I have greater control over SD-WAN functionality at the DC end.

 

You are most likely interested in this design:

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS

View solution in original post

9 Replies 9
PhilipDAth
Kind of a big deal
Kind of a big deal

Both options are valid.

 

Cisco Meraki's recommend design uses the single interface at the DC.

I personally do my deployments using 2 interfaces so I have greater control over SD-WAN functionality at the DC end.

 

You are most likely interested in this design:

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS

whistleblower
Building a reputation

@PhilipDAth


I personally do my deployments using 2 interfaces so I have greater control over SD-WAN functionality at the DC end.

what do you mean exactly with greater control? Is there any specific configuration/routing needed with 2 Interfaces on the VPN-Concentrator MX?

PhilipDAth
Kind of a big deal
Kind of a big deal

>what do you mean exactly with greater control?

 

When you use dual interfaces you can use SD-WAN performance classes.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Load_Balancing_and_Flow_Preferen... 

 

So you can do things like tell VoIP to use the best performing path, or you one path for sensitive or critical traffic and another for bulk traffic (perhaps large file transfers or file sharing).

It also means if the primary path fails the system can recover without any human intervention.

whistleblower
Building a reputation

OK, I understand that! And how do I imagine the configuration for this on the "one-armed" VPN concentrator and/or the upstream device (e.g. Layer3 switch)?

PhilipDAth
Kind of a big deal
Kind of a big deal

>And how do I imagine the configuration for this on the "one-armed" VPN 

 

When you are using one-armed mode you can only use a single interface.  So if you use dual interfaces you can not use one-armed mode.

whistleblower
Building a reputation

so you`re talking about the design called "Routed mode Concentrator"... or in other words a HQ/DC where no routed-Core exits?! because the Link you referenced in one of your previous answers is showing the VPN-Concentrator as one-armed...

DN
Here to help

Agreed with @PhilipDAth  , I would go for the same option in this case .

Happiman
Building a reputation

If you have many subnets to advertise from your data center, one arm concentrator  mode is useful. After all, you will run OSFP and form neighbors between MX and your edge firewall. 

PhilipDAth
Kind of a big deal
Kind of a big deal

Note that OSPF in one armed mode can not listen or learn OSPF routes.  It can only advertise AutoVPN routes.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels