cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

One-Arm VPN Concentrator - Design Best Practice

SOLVED
Here to help

One-Arm VPN Concentrator - Design Best Practice

 

I have a Meraki network with one Data Centre and 5 branch sites with approximately 30 APs across the sites. Is there a Best practice design for this set up.

 

The Data centre has an MX84 serving as a One- Arm VPN Concentrator.

LAN and data centre access is required from the branch sites

Guest access is required to be isolated from the data centre and LAN traffic.

 

Thanks in advance

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Kind of a big deal

Re: One-Arm VPN Concentrator - Design Best Practice

If the guest traffic only request internet access, I'd have a local firewall and ISP. Dump the guest traffic out the local firewall. Utilize the MR's baked in firewall to block the guest traffic from accessing your LAN.

 

You want traffic to exit the network as soon as possible.

8 REPLIES 8
Kind of a big deal
Here to help

Re: One-Arm VPN Concentrator - Design Best Practice

Looks good, Thanks

 

Can this design be simply scaled up for multiple branches?

Kind of a big deal

Re: One-Arm VPN Concentrator - Design Best Practice

Here to help

Re: One-Arm VPN Concentrator - Design Best Practice

There is only 1 data centre and 11 branch sites. Some site have only 1 or 2 APs.

 

Would I need an MX at each site as indicated in the design?

 

One design goal is to isolate the guest traffic. I know this can be done at the AP but what is the best practice?

 - An MX at each of the larger sites then combine the smaller sites with a shared MX?  

Highlighted
Kind of a big deal

Re: One-Arm VPN Concentrator - Design Best Practice

Oh, I see. I misread your DC count.

 

Yes, if you have multiple branch locations, I'd leverage AutoVPN to simplify maintaining the tunnels between your DC and the branches. We have several clients running a similar config, and it's been set and forget.

 

Where does your guest traffic go? Does it actually access anything at the DC? Does it exit into the internet locally? Or could it exit locally, if you had firewalls there?

Here to help

Re: One-Arm VPN Concentrator - Design Best Practice

The guest traffic is just required to access the Internet (nothing in the DC).

 

There is currently traffic shaping on the MRs to rate limit certain websites for the guest traffic

 

There is currently a second MX set up as a VPN concentrator. This is just used for the guest access. I suspect this was implemented to create a DMZ for the guest traffic. 

 

 

Kind of a big deal

Re: One-Arm VPN Concentrator - Design Best Practice

If the guest traffic only request internet access, I'd have a local firewall and ISP. Dump the guest traffic out the local firewall. Utilize the MR's baked in firewall to block the guest traffic from accessing your LAN.

 

You want traffic to exit the network as soon as possible.

Here to help

Re: One-Arm VPN Concentrator - Design Best Practice

That make sense!

 

Thanks very much for your help

 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.