I have a pair of MX450 Hubs configured in routed mode, while running in single VLAN addressing mode. They have connectivity back to our L3 Cores. This has worked well with a couple test branch sites with only MX67s.
Now, I am planning to implement MX85's at approximately 20 branch sites. However, although the MX has a firewall, security requires that each branch site retain the existing Cisco firewall. While most sites have fiber with dual ISPs with /28 or /29 IP ranges, some sites have a primary ISP with a DSL or LTE backup.
Each site will have an L3 core. The Meraki will be utilized only for SD-WAN/AutoVPN/spoke connectivity back to HQ. Internet for IOT/Guest will remain local and dump to the local ISP.
My primary questions surround where to logically place the Meraki? Should it be behind the firewall or parallel with the firewall? Is it possible to have an MX as a spoke in concentrator mode? Or would it function better in routed mode?