Meraki

Community

Passthrough or VPN Concentrator

Aamir
Here to help
‎May 18 2020 6:06 PM
‎May 18 2020 6:06 PM

Passthrough or VPN Concentrator

Hi,

 

When we select the MX to be in Passthrough or VPN Concentrator mode how does the MX know which mode to operate on? What features do we gain or loan in Passthrough or VPN Concentrator mode?

0 Kudos
5 Replies 5
merakichamp
Building a reputation
‎May 18 2020 11:12 PM
‎May 18 2020 11:12 PM

@Aamir  

Choose this option if you simply want to deploy the MX device:

  • In bridge mode for traffic shaping and additional network visibility.
  • As a one-armed VPN concentrator.
  • it is also one of the best recommendation for SD WAN deployment

 

Networks and Routing > MX Addressing and VLANs

 

In response to merakichamp
Aamir
Here to help
‎May 20 2020 6:07 AM
‎May 20 2020 6:07 AM

HI,

 

In bridge mode do I still get firewall functionality? My understanding is bridge mode is firewall operating in layer 2 mode which means no routing, with one-armed concentrator deployment its still a layer 3 device, so by Passthrough or VPN Concentrator how does the MX know it needs to work on bridge mode with no routing and or VPN concentrator mode?

0 Kudos
In response to Aamir
merakichamp
Building a reputation
‎May 20 2020 7:46 AM
‎May 20 2020 7:46 AM

@Aamir  Passthrough/Concentrator Mode is best used when there is an existing Layer 3 device upstream handling network routing functions.  The MX in this instance would still act as a security appliance, but with less functionality for Layer 3 networking.

0 Kudos
In response to merakichamp
merakichamp
Building a reputation
‎May 20 2020 7:48 AM
‎May 20 2020 7:48 AM

The recommended use case for the MX security appliance in passthrough mode is when it is acting as a VPN Concentrator for the Cisco Meraki Auto VPN feature.  Passthrough/VPN Concentrator mode ensures easy integration into an existing network that may already have layer 3 functionality and edge security in place.  With this mode, a Cisco Meraki MX security appliance can be integrated into the existing topology and allow for seamless site to site communication with minimal configuration needed.

0 Kudos
In response to merakichamp
FrederiqueC
Here to help
‎Sep 25 2020 5:03 AM
‎Sep 25 2020 5:03 AM

@merakichampThank you for that info.

I have a follow up question though. In MX's documentation it is written :

"When using an MX as a site-to-site VPN peer, it will only be able to send client traffic over the VPN tunnel if that traffic has been directed to it. As such, a router or L3 switch on the network will need to have static routes configured, such that VPN-bound traffic is sent to the MX. This traffic will then be encrypted and sent through the site-to-site VPN tunnel. Traffic bound to the Internet or other destinations will simply pass through the appliance:"

 

Let's say that I have that kind of topology

Internet -Edge FW - DMZ - MX L2/VPN concentrator - Router - LAN

 

if I have a layer 3 functionality to ensure routing, if I set the MX in passthrough mode, is it possible for it to deal with S2S VPN, Client VPN AND to still pass all internet traffic (incoming and outgoing) through the MX using filtrering, IPS and AMP functionalities ?

if it's not clear, i can ce more specific.

thanks for your help.

FrederiqueC

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.