Meraki

Community

Meraki MX105 SDWAN deployment

JanStucki
Comes here often
a week ago
a week ago

Meraki MX105 SDWAN deployment

Hello,

 

We are struggling with the proper planning of the design. We have 8 small remote branches having MX64 as a L3 device plus some L2 MS and MR. In our main internal DC location we don't have Meraki L3 (only L2)but L3 core/distri switches C3850x2. 

In few months, we removing our current SDWAN provider and therefore we need to establish Meraki SDWAN. For this purpose we bought 2 x MX105.

Moreover we have also service provider with their own DC where we have current SDWAN provider services in place but we will not have Meraki there, but Zscaler connectors in order people to reach services - inbound only traffic (users --> external DC covered by Zscaler cloud).

 

MX105 can be deployed in two ways - either devices can be one armed VPN concentrator either in routed mode. For sure remote branches will be in routed mode as they act as an L3 gateway.

In one armed VPN obviously it is much easier to implement as we don't need to migrate L3 from C3850 to MX105.

In routed mode we need to move all the subnets to MX105 which is painful. Also in this case C3850 will be just L2 switch for high speed switching, however the gateway for all the subnets (users, printers, servers, voice etc.) will be MX105.

Bunch of design questions:

What is the best practice on such a deployment? What option shall we choose? Take a note that C3850 cannot be fully removed because they provide redundant links to few access switches what cannot be achieved on MX105 because insufficient number of ports.

How should we connect the interface physically between MX105 and C3850 - MX105 do not support LACP so for the traffic routed via single link, it should be 10Gb to bring more capacity?

When removing current SDWAN provider from remote branches, how should we terminate ISP lines on MX64? Currently there is SDWAN intermediate router connecting ISP and MX64 each over L3 port.

Also on small branches current SDWAN provider has a DMZ zone acting as L3 router for Guest and IoT networks. With RoaS config there is single physical port bypassing MX64 over trunk port connected to L2 STP root switch (trunk allowed vlans guest lan, guest wifi, IoT). In this case what options do we have? Mx64 will be connected directly to ISP router and guest + IoT network should be created on MX64 and isolated using MX FW rules?

 

Thank you for any insights regarding deployment considerations!

Best Regards, Jan Stucki

 

 

 

0 Kudos
4 Replies 4
DarrenOC
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Hi @JanStucki , I’ve always found this document very useful:

 

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
In response to DarrenOC
JanStucki
Comes here often
a week ago
a week ago

Hi Darren,

 

Thanks for the link and your answer. In case a lot of traffic from remote branches is forwarded to main private DC this is obviously the case to install one armed VPN concentrator. In case users will forward more and more traffic to the Internet, does it make any sense to consider Routed mode option everywhere? Als  in the future resources will be migrated to the Cloud (i believe also private but external Cloud, not public).

0 Kudos
In response to JanStucki
DarrenOC
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Typically you would place the MX in one-armed concentrator mode within the DC.  This is the preferred method for devices terminating VPN tunnels from your Branch sites.

 

From your branch sites you can then either use Full or Split tunnel mode depending on your traffic requirements and where you wish to send your traffic.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
In response to DarrenOC
JanStucki
Comes here often
a week ago
a week ago

Hi Darren,

After a brief overview regarding our use cases, we will deploy MX105 in Routed mode. In the very close future we will not have any Edge devices - just ISP router and C3850 as L3. All the subnets from C3850 should be migrated to MX105 (planned downtime) leaving C3850 only as a L2 switch terminating access switches.

MX105 will act as a Hub, while remote branches as a Spokes. In this case we can achieve IoT and Guest networks setup and FW rules on MX105.

In case of passthrough mode packets are not translated and we will have no other edge device than ISP not-managed router, if we connect MX105 to the LAN side behind C3850 it will just forward traffic from DC server --> C3850 --> ISP router. This is not the best design. C3850 should do its job switching packets, MX105 should do its job routing packets. Between C3850 and MX105 i see just routed port /30 with C3850 having 0.0.0.0 route towards MX105.

Also we need to statically NAT two servers (cannot do this on C3850) plus our ISP is giving us public IP which we are unable to NAT without NAT-capable appliance..

I hope it does make sense to you.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.