Meraki

Community

MX H&S Design Best Practice

Solved
rahmad
Here to help
‎Feb 22 2020 5:13 AM
‎Feb 22 2020 5:13 AM

MX H&S Design Best Practice

Hi everyone,

 

 

I'm fairly new with Meraki and have question regarding design best practice.

Here is simple diagram for my deployment plan.

rahmad_1-1582375677666.png

Pair of MX 250 will be hub and deployed in routed mode with public IP.

There will be +- 200 branch, all with same overlapping subnet user. My plan is to translate those subnet to something summarizable (10.0.1.0/24,10.0.2.0/24....) and from core perspective i will just add static route with branch summary address pointing to the MX.

 

My questions is :

1. With diagram above, is it fine to deploy vpn concentrator on routed mode ? since i have read the documentation best practice to use passthrough mode for vpn concentrator and i'm still not clear what is the downside for using routed mode

2. Do i need to use virtual IP in MX 250 HA pair ? what is the downside of using same uplink IP ?

 

Any recommendation is appreciated, thank you.

 

Regards,

Rahmad

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 22 2020 5:00 PM
‎Feb 22 2020 5:00 PM

>1. With diagram above, is it fine to deploy vpn concentrator on routed mode ?

 

Yes.  I most frequently use this deployment method because it means I can use dual WAN circuits at the head end for failover.  Typically I get a cheap domestic grade Internet circuit to plug the second WAN2 ports in.  It's cheap insurance.  It also allows you to configure SD-WAN at the DC end.  Sometimes you would prefer to have bulk traffic use the cheap domestic circuit and save your primary circuit for traffic that you care about.

 

>2. Do i need to use virtual IP in MX 250 HA pair ? what is the downside of using same uplink IP ?

 

No.  When only doing AutoVPN I mostly don't.  If the primary MX fails all the spokes will automatically rebuild to the spare.

If you have plenty of free IP addresses then go for it.  VIP reduces failover time a little bit - but primary MX failure should be a rare event.  I would not complicate the design for something that is a 1 in 5 year event to say 15s.

 

VIP is more important when you are doing NAT as you want inbound sessions to continue to work regardless of which MX is in use.

View solution in original post

7 Replies 7
cmr
Kind of a big deal
Kind of a big deal
‎Feb 22 2020 3:32 PM
‎Feb 22 2020 3:32 PM

  • Concentrator mode doesn't do NAT and a few other things so load on device is lighter than routed mode.  Depending on bandwidth and activity of devices the extra load might be fine for an MX250 as it is pretty powerful.  Look at the data sheets to compare throughput data.  Also best in mind that having the remote sites as spokes is the lowest load.
  • Translating subnets will add load, can the remote sites not use different subnets?
  • Using virtual IP makes failover smoother as the virtual IP is used for traffic and is held by whichever MX is currently master.  If you use uplink IP then failover can often be disruptive with ongoing conversations and tunnels needing to reconnect etc.
If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to cmr
rahmad
Here to help
‎Feb 22 2020 8:31 PM
‎Feb 22 2020 8:31 PM

Ahh, i got it now, thank you for your explanation.

And about the subnet, we can't change existing subnet because application and stuff. We will translate only 2 /24 subnet for each branch, is that too much for MX64 ?

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 22 2020 5:00 PM
‎Feb 22 2020 5:00 PM

>1. With diagram above, is it fine to deploy vpn concentrator on routed mode ?

 

Yes.  I most frequently use this deployment method because it means I can use dual WAN circuits at the head end for failover.  Typically I get a cheap domestic grade Internet circuit to plug the second WAN2 ports in.  It's cheap insurance.  It also allows you to configure SD-WAN at the DC end.  Sometimes you would prefer to have bulk traffic use the cheap domestic circuit and save your primary circuit for traffic that you care about.

 

>2. Do i need to use virtual IP in MX 250 HA pair ? what is the downside of using same uplink IP ?

 

No.  When only doing AutoVPN I mostly don't.  If the primary MX fails all the spokes will automatically rebuild to the spare.

If you have plenty of free IP addresses then go for it.  VIP reduces failover time a little bit - but primary MX failure should be a rare event.  I would not complicate the design for something that is a 1 in 5 year event to say 15s.

 

VIP is more important when you are doing NAT as you want inbound sessions to continue to work regardless of which MX is in use.

In response to PhilipDAth
rahmad
Here to help
‎Feb 22 2020 8:48 PM
‎Feb 22 2020 8:48 PM

Thank you for your answer.

Do you have any performance issue for deploying with diagram above for large scale deployment ? we will do split tunnel so we expect MX250 to handle VOIP traffic and some internal apps stuff.
0 Kudos
In response to rahmad
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 23 2020 12:59 AM
‎Feb 23 2020 12:59 AM

With 200 branches you wont have any issues.

 

This is the sizing guide.

https://meraki.cisco.com/lib/pdf/meraki_whitepaper_mx_sizing_guide.pdf 

In response to PhilipDAth
cmr
Kind of a big deal
Kind of a big deal
‎Feb 23 2020 2:14 AM
‎Feb 23 2020 2:14 AM

The utility of the virtual IP is limited in SD-WAN, but it reduces the downtime to near zero when doing a firmware upgrade as well, which as we have been using the 15.x train that is currently on its 26th iteration for our 24/7 operation, I'd personally never go non HA with virtual IP!

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to PhilipDAth
rahmad
Here to help
‎Feb 23 2020 3:11 AM
‎Feb 23 2020 3:11 AM

Thank you for your answer 😀

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.