Meraki SD WAN

BigK
Here to help

Meraki SD WAN

Hello, 

 

I am new to Meraki SD WAN and need some help from design perspective. 

In the DC. I have a MX450 connected to a cisco switch which is connected to a router and out to the internet.

 

Now I do have a couple of branches that will be using MX68CW.

 

The goal is to have the 2 branches use SD WAN technology using MX450 in the data center and MX68CW in the branches. 

 

Here is what I know so far by picking at one of the branches and DC config. 

  1. MX68CW to MX450 is site to site VPN. 
  2. VLANs are configured on MX68CW with their subnets.
  3. MX450 Addressing & VLANs = Deployment Settings is Passthrough or VPN Concentrator
  4. Site to site VPN on the MX450 --> is Hub (Mesh)
  5. Port 1 on the MX450 is connected to internet. 
  6. Client tracking is = Ip address

any help with the design perspective will appreciate it.

 

Thanks

 

 

 

 

 

 

2 Replies 2
alemabrahao
Kind of a big deal
Kind of a big deal

I think you have to start with this document:

 

 

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

 

https://documentation.meraki.com/Architectures_and_Best_Practices/Recommended_Topologies

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
rhbirkelund
Kind of a big deal
Kind of a big deal

Regarding the hub there are a few considerations you may have. You can configure it either as VPN Concentrator or in Routed mode and locate it inside you DC somewhere, or you can configure it in Routed mode, and place it as an Edge firewall. Both will work in terms of the Meraki SD-WAN.

 

Routed mode, Edge Firewall

If you place the Hub MX as an edge firewall (routed mode) you will need a separate Public IP address for it. If you need redundancy in terms of Warm Spare (VRRP) you'll need two IP addresses (perhaps even three, if you go for a Virtual IP, which is prefererable).

 

As mentionend first, you also have the opportunity to place it inside your DC, as either Passthrough/VPN Concentrator or Routed mode. What to choose really depends on preference and current Topology.

 

Routed mode, Inside DC

In Routed mode, you have the opportunity to segment networks in VLANs inside you DC, and advertise each vlan/subnet you wish to the rest of the SDWAN topology (spokes/branches). What ever VLAN you configure in the Hub to be advertised, each spoke will learn of it. On the DC side, this means you'll have to manage the VLANs, route traffic appropiately, etc.

 

Concentrator, Inside DC

With regards to the Concentrator mode, you just have to think of it as a single endpoint device, which terminates a series of Site-to-Site VPN connections. It's only connected on its Internet port, and all traffic is routed in and out of that interface. You have a single VLAN, so you'll have to route everything internally in your DC. Typically the MX will have a Default Gateway, and the device where this relies will have routes for Spokes subnets pointing towards the MX Hub. In conecntrator mode, you have the added benefit of OSPF support, so instead of routing statically back and forth, the MX Hub can advertise its spoke subnets upstream. But the MX Hub will not learn subnets.

 

Really, there's not right or wrong. But it depends on the current topolgy and your own preference.

 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels