MX H&S Design Best Practice

SOLVED
rahmad
Here to help

MX H&S Design Best Practice

Hi everyone,

 

 

I'm fairly new with Meraki and have question regarding design best practice.

Here is simple diagram for my deployment plan.

rahmad_1-1582375677666.png

Pair of MX 250 will be hub and deployed in routed mode with public IP.

There will be +- 200 branch, all with same overlapping subnet user. My plan is to translate those subnet to something summarizable (10.0.1.0/24,10.0.2.0/24....) and from core perspective i will just add static route with branch summary address pointing to the MX.

 

My questions is :

1. With diagram above, is it fine to deploy vpn concentrator on routed mode ? since i have read the documentation best practice to use passthrough mode for vpn concentrator and i'm still not clear what is the downside for using routed mode

2. Do i need to use virtual IP in MX 250 HA pair ? what is the downside of using same uplink IP ?

 

Any recommendation is appreciated, thank you.

 

Regards,

Rahmad

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

>1. With diagram above, is it fine to deploy vpn concentrator on routed mode ?

 

Yes.  I most frequently use this deployment method because it means I can use dual WAN circuits at the head end for failover.  Typically I get a cheap domestic grade Internet circuit to plug the second WAN2 ports in.  It's cheap insurance.  It also allows you to configure SD-WAN at the DC end.  Sometimes you would prefer to have bulk traffic use the cheap domestic circuit and save your primary circuit for traffic that you care about.

 

>2. Do i need to use virtual IP in MX 250 HA pair ? what is the downside of using same uplink IP ?

 

No.  When only doing AutoVPN I mostly don't.  If the primary MX fails all the spokes will automatically rebuild to the spare.

If you have plenty of free IP addresses then go for it.  VIP reduces failover time a little bit - but primary MX failure should be a rare event.  I would not complicate the design for something that is a 1 in 5 year event to say 15s.

 

VIP is more important when you are doing NAT as you want inbound sessions to continue to work regardless of which MX is in use.

View solution in original post

7 REPLIES 7
cmr
Kind of a big deal
Kind of a big deal

  • Concentrator mode doesn't do NAT and a few other things so load on device is lighter than routed mode.  Depending on bandwidth and activity of devices the extra load might be fine for an MX250 as it is pretty powerful.  Look at the data sheets to compare throughput data.  Also best in mind that having the remote sites as spokes is the lowest load.
  • Translating subnets will add load, can the remote sites not use different subnets?
  • Using virtual IP makes failover smoother as the virtual IP is used for traffic and is held by whichever MX is currently master.  If you use uplink IP then failover can often be disruptive with ongoing conversations and tunnels needing to reconnect etc.
rahmad
Here to help

Ahh, i got it now, thank you for your explanation.

And about the subnet, we can't change existing subnet because application and stuff. We will translate only 2 /24 subnet for each branch, is that too much for MX64 ?

PhilipDAth
Kind of a big deal
Kind of a big deal

>1. With diagram above, is it fine to deploy vpn concentrator on routed mode ?

 

Yes.  I most frequently use this deployment method because it means I can use dual WAN circuits at the head end for failover.  Typically I get a cheap domestic grade Internet circuit to plug the second WAN2 ports in.  It's cheap insurance.  It also allows you to configure SD-WAN at the DC end.  Sometimes you would prefer to have bulk traffic use the cheap domestic circuit and save your primary circuit for traffic that you care about.

 

>2. Do i need to use virtual IP in MX 250 HA pair ? what is the downside of using same uplink IP ?

 

No.  When only doing AutoVPN I mostly don't.  If the primary MX fails all the spokes will automatically rebuild to the spare.

If you have plenty of free IP addresses then go for it.  VIP reduces failover time a little bit - but primary MX failure should be a rare event.  I would not complicate the design for something that is a 1 in 5 year event to say 15s.

 

VIP is more important when you are doing NAT as you want inbound sessions to continue to work regardless of which MX is in use.

Thank you for your answer.

Do you have any performance issue for deploying with diagram above for large scale deployment ? we will do split tunnel so we expect MX250 to handle VOIP traffic and some internal apps stuff.
PhilipDAth
Kind of a big deal
Kind of a big deal

With 200 branches you wont have any issues.

 

This is the sizing guide.

https://meraki.cisco.com/lib/pdf/meraki_whitepaper_mx_sizing_guide.pdf 

cmr
Kind of a big deal
Kind of a big deal

The utility of the virtual IP is limited in SD-WAN, but it reduces the downtime to near zero when doing a firmware upgrade as well, which as we have been using the 15.x train that is currently on its 26th iteration for our 24/7 operation, I'd personally never go non HA with virtual IP!

Thank you for your answer 😀

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels