One-Arm VPN Concentrator - Design Best Practice

Solved
AshMead
Getting noticed

One-Arm VPN Concentrator - Design Best Practice

 

I have a Meraki network with one Data Centre and 5 branch sites with approximately 30 APs across the sites. Is there a Best practice design for this set up.

 

The Data centre has an MX84 serving as a One- Arm VPN Concentrator.

LAN and data centre access is required from the branch sites

Guest access is required to be isolated from the data centre and LAN traffic.

 

Thanks in advance

 

 

1 Accepted Solution
Nash
Kind of a big deal

If the guest traffic only request internet access, I'd have a local firewall and ISP. Dump the guest traffic out the local firewall. Utilize the MR's baked in firewall to block the guest traffic from accessing your LAN.

 

You want traffic to exit the network as soon as possible.

View solution in original post

8 Replies 8
Nash
Kind of a big deal
AshMead
Getting noticed

Looks good, Thanks

 

Can this design be simply scaled up for multiple branches?

Nash
Kind of a big deal

AshMead
Getting noticed

There is only 1 data centre and 11 branch sites. Some site have only 1 or 2 APs.

 

Would I need an MX at each site as indicated in the design?

 

One design goal is to isolate the guest traffic. I know this can be done at the AP but what is the best practice?

 - An MX at each of the larger sites then combine the smaller sites with a shared MX?  

Nash
Kind of a big deal

Oh, I see. I misread your DC count.

 

Yes, if you have multiple branch locations, I'd leverage AutoVPN to simplify maintaining the tunnels between your DC and the branches. We have several clients running a similar config, and it's been set and forget.

 

Where does your guest traffic go? Does it actually access anything at the DC? Does it exit into the internet locally? Or could it exit locally, if you had firewalls there?

AshMead
Getting noticed

The guest traffic is just required to access the Internet (nothing in the DC).

 

There is currently traffic shaping on the MRs to rate limit certain websites for the guest traffic

 

There is currently a second MX set up as a VPN concentrator. This is just used for the guest access. I suspect this was implemented to create a DMZ for the guest traffic. 

 

 

Nash
Kind of a big deal

If the guest traffic only request internet access, I'd have a local firewall and ISP. Dump the guest traffic out the local firewall. Utilize the MR's baked in firewall to block the guest traffic from accessing your LAN.

 

You want traffic to exit the network as soon as possible.

AshMead
Getting noticed

That make sense!

 

Thanks very much for your help

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels