Meraki

Community

Reusing the VPN Concentrator as a Security Device

RobertSL
Here to help
‎Dec 18 2024 7:47 PM
‎Dec 18 2024 7:47 PM

Reusing the VPN Concentrator as a Security Device

Hi All

 

Firstly, I am new to Meraki.  The first part of the plan, scheduled for 2025, is to connect all our sites using Meraki Auto SD-WAN. 

 

I intend to use a MX Appliance as a VPN Concentrator Hub to connect 12 sites, 6 international, as SD-WAN spokes.  Once all sites are connected via SD-WAN I would like to edit the Hub WAN appliance from a VPN Concentrator Mode to Routed Mode, making it the edge device taking care of security and layer 3 routing.  As the VPN Concentrator will be installed at our data centre;

- can this be done - in a couple of hours

- what do I need to consider

- would I need to recreate all the VPN connections

- is there an article that describes such a move in detail - that I have missed. 

 

Thanks in advance  

 

Labels:
0 Kudos
6 Replies 6
jimmyt234
A model citizen
‎Dec 19 2024 12:05 AM
‎Dec 19 2024 12:05 AM

Not quite sure why you would give yourself this headache and instead just deploy it in routed mode from the start?

0 Kudos
RobertSL
Here to help
‎Dec 19 2024 12:58 AM
‎Dec 19 2024 12:58 AM

Jimmyt234 - Thanks for replying.  I have an existing MPLS network to all my sites.  How would I use routed mode from the start as I will have an existing firewall and layer 3 switch in front of my MX device?  Thanks

  

0 Kudos
In response to RobertSL
ITSDigital
Here to help
‎Dec 19 2024 4:43 AM
‎Dec 19 2024 4:43 AM

You could deploy in routed mode, if you enable NONAT on the WAN interface connected to your MPLS. You'll be able to route in and out of the MPLS and apply L3 firewall rules to the traffic flow.

 

This is only If you dont mind enabling opt-in "beta" functionality, which NONAT is labelled as. But we've been successfully using it in production as a stop gap until we move everything behind Meraki AutoVPN and NAT.

 

You'll also not get BGP route exchange, and the MPLS will be treated as an external network, so advertising status routes from the hub might be required depending on your topology and needs.

0 Kudos
RobertSL
Here to help
‎Dec 19 2024 10:46 AM
‎Dec 19 2024 10:46 AM

Thanks ITSDigital, That does sound like an option - is there any documentation for this?

 

0 Kudos
In response to RobertSL
ITSDigital
Here to help
‎Dec 20 2024 8:49 AM
‎Dec 20 2024 8:49 AM

NONAT has to be turned on first in Organization > Early Access. Docs are here:

https://documentation.meraki.com/MX/Networks_and_Routing/NAT_Exceptions-No_NAT_on_MX_Security_Applia...

 

And I was wrong, BGP route exchange is available on NONAT routed mode - but only on firmware 18.207 or above:

 

https://documentation.meraki.com/MX/Networks_and_Routing/Border_Gateway_Protocol_(BGP)

 

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 19 2024 11:13 AM
‎Dec 19 2024 11:13 AM

- can this be done - in a couple of hours

Yes.

 

- what do I need to consider

It is pretty straight forward to change from VPN concentrator mode to routed mode.

 

- would I need to recreate all the VPN connections

No.

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.