We have begun the final part of the move to a SD-WAN environment from our current MPLS setup. We currently have all of our schools setup as spokes and the central office as the hub. The MX's at the schools are at the edge and it seems to be working very well. As we migrate our datacenter off of MPLS, I'm confused about the best practice. Can the Hub MX be the edge device for the datacenter and the rest of the central office users or should it only be in VPN concentrator mode with another type of edge device to handle the firewall duties? What's the best practice?
The biggest difference for AutoVPN is you will loose the ability to use OSPF and BGP when changing from concentrator to routed mode. This means all routing is either via static routes or directly connected routes on the DC firewall. Any failover between devices in the DC needs to be via warm spare or manually changing routes.