Hello,
We are struggling with the proper planning of the design. We have 8 small remote branches having MX64 as a L3 device plus some L2 MS and MR. In our main internal DC location we don't have Meraki L3 (only L2)but L3 core/distri switches C3850x2.
In few months, we removing our current SDWAN provider and therefore we need to establish Meraki SDWAN. For this purpose we bought 2 x MX105.
Moreover we have also service provider with their own DC where we have current SDWAN provider services in place but we will not have Meraki there, but Zscaler connectors in order people to reach services - inbound only traffic (users --> external DC covered by Zscaler cloud).
MX105 can be deployed in two ways - either devices can be one armed VPN concentrator either in routed mode. For sure remote branches will be in routed mode as they act as an L3 gateway.
In one armed VPN obviously it is much easier to implement as we don't need to migrate L3 from C3850 to MX105.
In routed mode we need to move all the subnets to MX105 which is painful. Also in this case C3850 will be just L2 switch for high speed switching, however the gateway for all the subnets (users, printers, servers, voice etc.) will be MX105.
Bunch of design questions:
What is the best practice on such a deployment? What option shall we choose? Take a note that C3850 cannot be fully removed because they provide redundant links to few access switches what cannot be achieved on MX105 because insufficient number of ports.
How should we connect the interface physically between MX105 and C3850 - MX105 do not support LACP so for the traffic routed via single link, it should be 10Gb to bring more capacity?
When removing current SDWAN provider from remote branches, how should we terminate ISP lines on MX64? Currently there is SDWAN intermediate router connecting ISP and MX64 each over L3 port.
Also on small branches current SDWAN provider has a DMZ zone acting as L3 router for Guest and IoT networks. With RoaS config there is single physical port bypassing MX64 over trunk port connected to L2 STP root switch (trunk allowed vlans guest lan, guest wifi, IoT). In this case what options do we have? Mx64 will be connected directly to ISP router and guest + IoT network should be created on MX64 and isolated using MX FW rules?
Thank you for any insights regarding deployment considerations!
Best Regards, Jan Stucki