I have an MX450 configured as a wireless concentrator (passthrough or VPN concentrator) with the Internet port connected to a switch on a VLAN that has the Meraki VIP and an L2 trunk port connected to a router with dot1Q sub-interfaces. Wilreless clients are placed into a VLAN via ISE policy or SSID policy and use the L2 trunk where that VLAN is allowed on the router side. This would not be a one-armed setup.
Would I be able to use this same MX450 in it's current passthrough or VPN concentrator mode to also terminate auto-VPN tunnels as a hub? Would the unencrypted VPN tunnel traffic just be routed back out the same port that the encrypted tunnel terminated on? This would be one-armed for VPN if it is possible. I'm thinking S2S VPN is not capable of having traffic placed in certain VLANs via policy matching the peer device (departmentA or departmentB).
If this is possible, I am considering multi-vrf with PbR on the attached Cisco switch to place the traffic in proper MPLS VPNs (VRFs) based on source IP of traffic from the remote location as the MX routes it back out unencrypted. I would assume wireless traffic would still be placed in the proper VLAN and work as it currently does out the L2 trunk port.