Meraki

Community

Feature set limitations of one arm concentrators?

Solved
drizz_labs
Conversationalist
‎Apr 30 2024 8:59 AM
‎Apr 30 2024 8:59 AM

Feature set limitations of one arm concentrators?

Hey guys I'm trying to understand a design presented to me.

- 2x MX250 in HA as routed mode, sitting between edge router and core router in the DC

-- The routed mode HA pair will be performing the Unified Threat Management/Security for all the branch site traffic 

- 2x MX250 in HA as One Arm Concentrator mode hanging off the core router in the DC

-- The VPN concentrator pair will be aggregating all the auto-vpn tunnels for branch sites that use MX67s

Owner of this design is saying they were sold this solution because VPN concentrator pair can't do unified threat management, SDWAN, and other feature sets because it is in concentrator mode. Which is why they need a separate pair of MX to handle those feature sets.

I'm new to Meraki SDWAN, but does this design sound right/make sense? Can we accomplish this with just a single HA pair? Thank you for any insight! Incredibly Fancy and Highly Detailed DiagramIncredibly Fancy and Highly Detailed Diagram

 

1 Accepted Solution
Ryan_Miles
Meraki Employee
Meraki Employee
‎Apr 30 2024 9:18 AM
‎Apr 30 2024 9:18 AM

When in Concentrator mode the feature set is different. Details here.

That design is very typical and preferred/recommended in most cases. Concentrator mode historically has offered more capabilities from a route peering perspective vs. NAT mode. That gap is closing, but still you can run into interesting routing challenges when using NAT mode MX(s) as AutoVPN hubs.

The other advantage to this design is separation of duties with dedicated appliances for VPN aggregation and dedicated appliances for the the edge security. This can be advantageous for scalability and performance as well as offering another layer of resilience should any appliance fail or during firmware upgrades. For example upgrading the VPN hubs would not impact the edge appliances.

It really comes down to your specific design requirements to determine what's the best fit.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

3 Replies 3
cmr
Kind of a big deal
Kind of a big deal
‎Apr 30 2024 9:05 AM
‎Apr 30 2024 9:05 AM

The MX250s in routed mode could in theory perform all of the operations, do you have a lot of remote sites, or more than two routes from them to the core?  I ask as we use an HA pair in single ended mode for the SDWAN as we have 4 routes for remote sites to connect (2x MPLS and 2x internet).

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Ryan_Miles
Meraki Employee
Meraki Employee
‎Apr 30 2024 9:18 AM
‎Apr 30 2024 9:18 AM

When in Concentrator mode the feature set is different. Details here.

That design is very typical and preferred/recommended in most cases. Concentrator mode historically has offered more capabilities from a route peering perspective vs. NAT mode. That gap is closing, but still you can run into interesting routing challenges when using NAT mode MX(s) as AutoVPN hubs.

The other advantage to this design is separation of duties with dedicated appliances for VPN aggregation and dedicated appliances for the the edge security. This can be advantageous for scalability and performance as well as offering another layer of resilience should any appliance fail or during firmware upgrades. For example upgrading the VPN hubs would not impact the edge appliances.

It really comes down to your specific design requirements to determine what's the best fit.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
ww
Kind of a big deal
Kind of a big deal
‎Apr 30 2024 9:50 AM
‎Apr 30 2024 9:50 AM

Is the MX250 routed mode in a seperate org. Could be they only using adv security license on that. And enterpise licence for the tunnel devices

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.