We have begun the final part of the move to a SD-WAN environment from our current MPLS setup.  We currently have all of our schools setup as spokes and the central office as the hub.  The MX's at the schools are at the edge and it seems to be working very well.  As we migrate our datacenter off of MPLS, I'm confused about the best practice.  Can the Hub MX be the edge device for the datacenter and the rest of the central office users or should it only be in VPN concentrator mode with another type of edge device to handle the firewall duties?  What's the best practice?





The biggest difference for AutoVPN is you will loose the ability to use OSPF and BGP when changing from concentrator to routed mode. This means all routing is either via static routes or directly connected routes on the DC firewall. Any failover between devices in the DC needs to be via warm spare or manually changing routes.

I've done both, and there isn't enough info to recommend one over the other.


Your DC environment, is it just a single VLAN?

If there are multiple VLANs what is doing the routing between them?

If you have a routing platform, does it exchange routes with anything else?


Are your spokes sitting in a nice superscope that can be sumarised with a small number fo static routes?


Are you going to have a pair or MX's for HA?

