Hi,
quick question on how to design and deploy this, when you have a VPN concentrator in a DC, and each branch and the data centres have an MPLS and an Internet link each, do you still configure the VPN concentrator with 1 uplink interface, then it will form 2 tunnels to each branch over this 1 interface, or do you configure 2 interfaces (ie one for internet tunnel and one for MPLS tunnel)
seems to me only 1 is required, but just want some confirmation.
Solved! Go to solution.
Both options are valid.
Cisco Meraki's recommend design uses the single interface at the DC.
I personally do my deployments using 2 interfaces so I have greater control over SD-WAN functionality at the DC end.
You are most likely interested in this design:
https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS
Both options are valid.
Cisco Meraki's recommend design uses the single interface at the DC.
I personally do my deployments using 2 interfaces so I have greater control over SD-WAN functionality at the DC end.
You are most likely interested in this design:
https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS
I personally do my deployments using 2 interfaces so I have greater control over SD-WAN functionality at the DC end.
what do you mean exactly with greater control? Is there any specific configuration/routing needed with 2 Interfaces on the VPN-Concentrator MX?
>what do you mean exactly with greater control?
When you use dual interfaces you can use SD-WAN performance classes.
So you can do things like tell VoIP to use the best performing path, or you one path for sensitive or critical traffic and another for bulk traffic (perhaps large file transfers or file sharing).
It also means if the primary path fails the system can recover without any human intervention.
OK, I understand that! And how do I imagine the configuration for this on the "one-armed" VPN concentrator and/or the upstream device (e.g. Layer3 switch)?
>And how do I imagine the configuration for this on the "one-armed" VPN
When you are using one-armed mode you can only use a single interface. So if you use dual interfaces you can not use one-armed mode.
so you`re talking about the design called "Routed mode Concentrator"... or in other words a HQ/DC where no routed-Core exits?! because the Link you referenced in one of your previous answers is showing the VPN-Concentrator as one-armed...
If you have many subnets to advertise from your data center, one arm concentrator mode is useful. After all, you will run OSFP and form neighbors between MX and your edge firewall.
Note that OSPF in one armed mode can not listen or learn OSPF routes. It can only advertise AutoVPN routes.