Meraki

Community

MX6X firewalls wit 50+ SD-WAN branches

Solved
JoniM
Here to help
‎Apr 5 2020 11:40 PM
‎Apr 5 2020 11:40 PM

MX6X firewalls wit 50+ SD-WAN branches

Hi,

 

anyone have experience/knowledge on how do MX64, 67 and 68 firewalls behave if there are over 50 sites in full mesh SD-WAN topology? Apparently there is a technical limitation of 50 VPN tunnels for these firewalls.

 

Best regards,

 

Joni Marjoniemi

0 Kudos
1 Accepted Solution
CN
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Apr 6 2020 10:09 AM
‎Apr 6 2020 10:09 AM

From my experience in Meraki Support, things are not going to go very well for the MX. I'm not quite sure that you're gaining that much by having a direct connection to each. When using a hub, the spokes will be able to relay information from one hub to another. 

 

If any of the sites have two uplinks then that will double the number of tunnels that it has to build (you can disable active-active VPN tunnels). 

 

I would recommend that you pick a couple of the MXs to serve as the hubs so that instead of having all of the MX suffer under the load, there will only be a couple. 

 

https://documentation.meraki.com/Architectures_and_Best_Practices/Auto_VPN_Hub_Deployment_Recommenda...

View solution in original post

4 Replies 4
DarrenOC
Kind of a big deal
Kind of a big deal
‎Apr 6 2020 12:05 AM
‎Apr 6 2020 12:05 AM

No experience on such a deployment but if you’re at the threshold and hit technical issues then Meraki support will be limited.

 

i believe you’ll be fine unless you start deploying out more MX’s to the deployment and take the design way over its thresholds.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
CN
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Apr 6 2020 10:09 AM
‎Apr 6 2020 10:09 AM

From my experience in Meraki Support, things are not going to go very well for the MX. I'm not quite sure that you're gaining that much by having a direct connection to each. When using a hub, the spokes will be able to relay information from one hub to another. 

 

If any of the sites have two uplinks then that will double the number of tunnels that it has to build (you can disable active-active VPN tunnels). 

 

I would recommend that you pick a couple of the MXs to serve as the hubs so that instead of having all of the MX suffer under the load, there will only be a couple. 

 

https://documentation.meraki.com/Architectures_and_Best_Practices/Auto_VPN_Hub_Deployment_Recommenda...

In response to CN
CN
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Apr 6 2020 2:25 PM
‎Apr 6 2020 2:25 PM

To add a little bit more context to the math in the kb that I linked earlier. 

"If all MXs have 2 uplinks and there are 50 MXs, then the total number of VPN tunnels would be 2450 and every MX would have to be able to support 196 tunnels (in this case, we would need around 50 MX100s…)" Here 1 MX is having 2 uplink which has to connect to the 2 uplinks on each of the other 49 hubs. 49 * 2 (local uplinks) * 2 (remote uplinks) = 196.

 

Even if you had only 1 uplink at each site, the formula for counting the number of the individual links is a complete graph which in this case is a 50-complete graph = 1225 which is the number of total VPN connections that you would have total in the organization. That's a lot of VPN tunnel to need to troubleshoot. 

0 Kudos
SopheakMang
Building a reputation
‎Apr 6 2020 10:23 PM
‎Apr 6 2020 10:23 PM

yes , i have experience , but to be efficient on deployment , need to open case for changing some config from backend
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.