Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX in a core site

Solved
TBee
Here to help
‎Jun 20 2023 4:12 AM
‎Jun 20 2023 4:12 AM

MX in a core site

I have quoted a Meraki MX SD-WAN solution for a customer. For 1 remote site and one central site.

                1 x MX67 at the remote site

                2 x MX105 at the core site. (HA Pair)

 

The customer is planning on adding more sites on to the SD-WAN over the coming year, total maximum of 7-8 remote sites.

 

I know that Meraki have a recommended best proactive for the core site to have a Meraki MX as a Concentrator behind a separate firewall, but does this have to be the case?

               Could the core the central site have a pair of MX’s (HA), functioning as a Firewall and terminating the 7-8 VPN tunnels from their remote sites. Without needing to adopt the Split MX responsibility of Firewall and Concentrator?

0 Kudos
Subscribe
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 20 2023 11:13 AM
‎Jun 20 2023 11:13 AM

There is no problem with using an HA pair in "routed" mode as an AutoVPN hub.  I do 99.9% of my deployments this way.  I have one customer with 250 or so spokes using this style of configuration.

View solution in original post

Subscribe
4 Replies 4
Madhan_kumar_G
Getting noticed
‎Jun 20 2023 4:22 AM
‎Jun 20 2023 4:22 AM

Hi,

 

Could the core the central site have a pair of MX’s (HA), functioning as a Firewall and terminating the 7-8 VPN tunnels from their remote sites. Without needing to adopt the Split MX responsibility of Firewall and Concentrator?

 

Yes, it can. 

 

Though things to note are below,

virtual MX - can act as VPN concentrator only, don't have firewall functionalities.

MX appliance - If you feel the load on your firewall is going to be too much along with the VPN concentrator role, you can go for "Umbrella" Integration and let umbrella handle firewall functions.

 

Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 20 2023 11:13 AM
‎Jun 20 2023 11:13 AM

There is no problem with using an HA pair in "routed" mode as an AutoVPN hub.  I do 99.9% of my deployments this way.  I have one customer with 250 or so spokes using this style of configuration.

Subscribe
TBee
Here to help
‎Jun 21 2023 12:31 AM
‎Jun 21 2023 12:31 AM

Thanks for the replies. So what is the reason for Meraki recommending deployment of a Meraki MX as a Single Arm Concentrator behind a MX as a Firewall?

What are the instances where this is the design to follow?

0 Kudos
Subscribe
In response to TBee
cmr
Kind of a big deal
Kind of a big deal
‎Jun 21 2023 1:59 AM
‎Jun 21 2023 1:59 AM

We use the single ended core design as we have multiple internet and MPLS connections (four in total) that the SD-WAN connections run over.  You cannot do this in routed mode as there are only two WAN ports usable at a time with the current firmware.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.