SD-WAN VPN policies on MX in One-Armed Concentrator Mode

whistleblower
Getting noticed

SD-WAN VPN policies on MX in One-Armed Concentrator Mode

Hi,

 

if a MX is used in One-Armed Concentrator Mode (terminating tunnels from MPLS and Internet) and traffic is sourced from a network behind the Layer3 Device on which this MX is connected on - on which decision base would the Auto-VPN Tunnel for that traffic be chosen?

This question arises for the reason because on the Branch Site there`s a SD-WAN policy configured which e.g. force RDP/Citrix Traffic only be routed through the Tunnel which is using a private MPLS as underlay (the second one is a Internet Link)!

 

thanks for any help/answers in advance!

 

3 REPLIES 3
Inderdeep
Head in the Cloud

Re: SD-WAN VPN policies on MX in One-Armed Concentrator Mode

@whistleblower : An MX Security Appliance operating in one-armed concentrator mode sends and receives traffic on a singular interface. This interface will always be the the first Internet or WAN port on the unit. A secondary port is not supported when deployed as a VPN concentrator. 

Regards
Inderdeep Singh
www.thenetworkdna.com
Bruce
Kind of a big deal

Re: SD-WAN VPN policies on MX in One-Armed Concentrator Mode

@whistleblower, tricky one. Have a look at this document, https://documentation.meraki.com/Architectures_and_Best_Practices/Auto_VPN_Hub_Deployment_Recommenda... scroll down to ‘Concentrator Priority’, and there is a little diagram there which actually explains this. (It’s about the only place I’ve ever seen it described).

 

The summary is that the Concentrator doesn’t know which AutoVPN tunnel to use, so it initially just picks one. However, when the Spoke replies it will make its choice based on the defined rules, and then the Concentrator will switch to use whichever AutoVPN tunnel the Spoke replied on.

PhilipDAth
Kind of a big deal

Re: SD-WAN VPN policies on MX in One-Armed Concentrator Mode

In this case, we have a one arm MX with two AutoVPN tunnels to a spoke.

 

The one-armed MX will return the traffic to the spoke via whichever AutoVPN tunnel it came in on.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.