MX 100 VPN

Adam
Kind of a big deal

MX 100 VPN

At the core of our network we have a single MX100.  As we start to have more branch sites (mostly using MX64's or MX84's) we are considering adding a second MX100 or possibly an MX250 and pointing part of the sites to that as another hub.  Would this be a good design?  What alternatives do you recommend.  I don't see the value in going to redundant MX400's yet since we aren't necessarily that large and would be quite a bit more costly since we already have a production MX100.  Thanks for any feedback.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
8 REPLIES 8
MilesMeraki
Head in the Cloud

Depending on your requirements, having redundant VPN hubs could add for added redundancy incase of a VPN or site failure. Why not look at deploying 2 MX100's in HA with 2 WAN up-links to add for redundancy? 

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Adam
Kind of a big deal

If using HA are they both active or is one passive?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
PhilipDAth
Kind of a big deal
Kind of a big deal

Normally they are active/standby.  This scenario is very popular because you don't have to buy a licence for the standby unit - just the hardware.  This configuration is also very simple and robust.

 

You can do active/active (in which case you do need to buy a licence for both units) but it is a lot more complicated.  You have to enable dynamic routing using OSPF.  You have to have an OSPF network core.  Also the head ends can not be directly attached to the same subnet, so you normally have to introduce stub network connections for the head ends.

 

Also the MS250 is considerably more powerful than an MX400 (and cheaper).  No one should be buying new MX400's for new Meraki deployments now.  Only those already with an MX400 and wanting a standby should be buying them.

PhilipDAth
Kind of a big deal
Kind of a big deal

My advice - get a standby MX100 (only need to buy hardware).

 

When you get to 200 sites (assuming each site has a single VPN back to the MX100) then considering upgrading to a pair of MX250s.

Adam
Kind of a big deal

I don't think sites would be as much the issue as clients.  Each of my sites can have between 10-50 clients.  I'm worried about hitting that limit on the MX100 far before the vpn connections limit. Thoughts?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
PhilipDAth
Kind of a big deal
Kind of a big deal

The limit is for clients behind the MX (such as on the local LAN) and not on remote sites.  And it is not so much as a limit, but an indication of how much capacity the box has to handle the workload offered.

Adam
Kind of a big deal

Right but once one site auto vpn's to the core isn't the core inheriting all of those clients?  Aside from maybe any traffic that is routing directly out the local MX. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
PhilipDAth
Kind of a big deal
Kind of a big deal

By default the MX is set to track clients by MAC address.  It can only see the MAC address of local clients.  It does not see the MAC address of remote clients.

 

You can change the default in "Security Appliance/Addressing & VLANs/Client tracking" to track by IP address instead.  If you did this then you might need to give additional consideration to the size of the box.

https://documentation.meraki.com/MX-Z/Monitoring_and_Reporting/Client_Tracking_Options

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels