Meraki

Community

MX in a core site

Solved
TBee
Here to help
‎Jun 20 2023 4:12 AM
‎Jun 20 2023 4:12 AM

MX in a core site

I have quoted a Meraki MX SD-WAN solution for a customer. For 1 remote site and one central site.

                1 x MX67 at the remote site

                2 x MX105 at the core site. (HA Pair)

 

The customer is planning on adding more sites on to the SD-WAN over the coming year, total maximum of 7-8 remote sites.

 

I know that Meraki have a recommended best proactive for the core site to have a Meraki MX as a Concentrator behind a separate firewall, but does this have to be the case?

               Could the core the central site have a pair of MX’s (HA), functioning as a Firewall and terminating the 7-8 VPN tunnels from their remote sites. Without needing to adopt the Split MX responsibility of Firewall and Concentrator?

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 20 2023 11:13 AM
‎Jun 20 2023 11:13 AM

There is no problem with using an HA pair in "routed" mode as an AutoVPN hub.  I do 99.9% of my deployments this way.  I have one customer with 250 or so spokes using this style of configuration.

View solution in original post

4 Replies 4
Madhan_kumar_G
Getting noticed
‎Jun 20 2023 4:22 AM
‎Jun 20 2023 4:22 AM

Hi,

 

Could the core the central site have a pair of MX’s (HA), functioning as a Firewall and terminating the 7-8 VPN tunnels from their remote sites. Without needing to adopt the Split MX responsibility of Firewall and Concentrator?

 

Yes, it can. 

 

Though things to note are below,

virtual MX - can act as VPN concentrator only, don't have firewall functionalities.

MX appliance - If you feel the load on your firewall is going to be too much along with the VPN concentrator role, you can go for "Umbrella" Integration and let umbrella handle firewall functions.

 

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 20 2023 11:13 AM
‎Jun 20 2023 11:13 AM

There is no problem with using an HA pair in "routed" mode as an AutoVPN hub.  I do 99.9% of my deployments this way.  I have one customer with 250 or so spokes using this style of configuration.

TBee
Here to help
‎Jun 21 2023 12:31 AM
‎Jun 21 2023 12:31 AM

Thanks for the replies. So what is the reason for Meraki recommending deployment of a Meraki MX as a Single Arm Concentrator behind a MX as a Firewall?

What are the instances where this is the design to follow?

0 Kudos
In response to TBee
cmr
Kind of a big deal
Kind of a big deal
‎Jun 21 2023 1:59 AM
‎Jun 21 2023 1:59 AM

We use the single ended core design as we have multiple internet and MPLS connections (four in total) that the SD-WAN connections run over.  You cannot do this in routed mode as there are only two WAN ports usable at a time with the current firmware.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.