Team I have a rather simple question, I have to design a network with about 100 branch office environments, but the client is pushing back to the Security appliance due to reduction of available budget.
Is there anyway I can design the branch environments, which they will route traffic through an Ethernet Virtual Private Line to the clients Data Center, and from there terminate the APs on the Cloud for configuration management and analytics? Without utilizing an MX appliance in each one of their locations?
I can definitely utilize the APs capabilities for some security and obviously will not have all the functionality from the MX but is it doable?
Maybe have MXs only on the Data Centers? and from there break out to the internet for the Cloud Controller functionality?
Any input here?
I have never heard of anyone using EVPL for a branch network of this scale. This sounds unusual.
EVPL is a point to point Ethernet service. So you will probably have a VLAN per site presented to the data centre. You will want a layer 3 switch that can support a large number of MAC addresses. You would create a layer 3 interface per site on your core switch. I would consider an MS350, MS410 or MS425 series switch. Of course, you really should have a pair for redundancy (and form a stack).
Note I have never tried creating 100 layer 3 interfaces on Meraki switches before. You would need to verify with your local Meraki rep what the maximum number of layer 3 interfaces are supported on the model of switch you end up going for.
Now that still leaves the branches. You could plug the EVPL into a layer 2 switch. This will limit you to a single VLAN at each site. All traffic will be bridged over the EVPL back to the layer 3 interfaces on the core MS350/MS410/MS425 switches. Suitable switches might be the MS120 or MS210 series.
Another option would be instead of having the layer 3 default gateway of each site back at the DC, to instead using a layer 3 switch at each branch, and do the default gateway processing there. Then just use the EVPL network as a "stub" to connect back to the core network. At 100 sites you would want to be using OSPF, which means you would need a minimum of an MS250 switch (lowest end switch with OSPF support). Having a local layer 3 switch would also allow you to create multiple networks at each branch (for example, data, voip, guest, etc). However the solution may now cost more than putting in an MX ...
This now gets all your branch traffic back to the DC. From here the DC would default route it back to a redundant pair of MX units, and out to the Internet.
The AP's, now implicitly, can access the Internet and connect to the cloud.
Also note that the MX will not see the MAC addresses in this routed layer 3 approach. You will have to change it to track by IP address, and the accuracy will be greatly reduced if the branches use DHCP.
However the switches would see the MAC addresses for layer 2 visibility.
On the remote locations I will be replacing CIsco WLAN gear with the Meraki architecture. There is already a switch and routes back to one of my 7 DCs.
I guess my question becomes the following, with Switch changes, in regards to VLAN and DHCP scope for those APs to grab IPs, do I have to have an MX in each branch? or I can have MX's on the DCs, and then I can get my security from the DC since I will be going out to internet from the DCs through an Internet break out circuit?
I think you should engage a Cisco partner. It is clear you have a network with a lot of complexity.
Are you able to put the AP's at each branch into a single VRF that goes back to your DC's, and default route that via a central MX and out to the Internet? If so, then yes.