SD-WAN hub mode

iores
Here to help

SD-WAN hub mode

Hi,

 

As far as I have read, Meraki one-armed concentrator and routed mode are getting more and more similar (feature wise).

 

Are there any specific uses cases when only one mode should be used in the light that nowadays are very similar?

 

Are there any important features that differ between them? I know that one-armed uses only WAN interface, but beside that, what are additional unique features between them that should be considered when choosing the correct deployment mode?

17 Replies 17
alemabrahao
Kind of a big deal
Kind of a big deal

Here are the main use cases in general.

 

VPN Concentrator Mode

 

  • Use Case: SD-WAN Hub in a DC or HQ
  • You have branch offices (spokes) that connect to the DC or HQ using AutoVPN.
  • The DC already has its own upstream router/firewall (e.g. a large Palo Alto or Cisco ASA).
  • You want the MX to handle only the VPN termination and routing, but not act as a firewall or Internet edge.
  • No NAT required

 

Since it does not do NAT, it is easier to maintain end-to-end visibility and preserve source IP addresses (useful for data center firewall or IDS policies).

  • Data center with multiple VLANs routed to another location
  • Often, internal VLAN routing is handled by a core switch or other upstream device.

 

Routed Mode Use Case

 

  • Branch or Edge Locations (Most Common)
  • The MX acts as a firewall and Internet edge router.
  • It performs NAT for Internet-bound traffic.
  • You need to segment local LAN traffic using VLANs.
  • You want to use local breakouts (direct Internet access) for SaaS or split tunneling.
  • Hybrid or Small DCs

When you want the MX to provide both local LAN services and VPN services (for example, small data centers without a central router).

 

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide?utm_source=c...

 

Sorry if there are any mistakes, I got the presentation data for a client and had to translate it.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ww
Kind of a big deal
Kind of a big deal
Brash
Kind of a big deal
Kind of a big deal

They are for different use cases.


An MX in VPN concentrator mode isn't going to be providing NAT and firewall services for internet-based traffic. It's to terminate SD-WAN connections into a head office/datacentre

Ryan_Miles
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star

From my perspective the biggest difference is with how routing works for spoke full tunneled traffic. A concentrator mode MX would have a LAN side next hop. A NAT mode MX default route would be back out its WAN interface. I've seen many instances in which customers want spoke traffic to tunnel back to the hub then into the LAN in order to route through some other device then out to internet. So, in this case you need a 0/0 route on the NAT hub pointing to a LAN side next hop. Not a big deal probably, but one extra consideration.

iores
Here to help

What do you mean by "back out its WAN interface"?

 

But NAT mode will have default route out of its WAN interface since this interface that is also used to connect to Meraki cloud? What is the main difference between one arm concentrator and NAT mode if hub is used with no NAT (as per my understanding, this option is now available)?

alemabrahao
Kind of a big deal
Kind of a big deal

"Back out its WAN interface" means:

After the MX decrypts the VPN traffic, if the destination is the Internet, by default it forwards this traffic directly out its WAN interface, using its own public IP as the NAT source address.

The MX then acts as an exit point to the local Internet for this traffic, using its WAN interface as the path to the Internet.

With No-NAT, routed mode hubs can forward decrypted spoke traffic to LAN next hops without NAT — but they retain their local routing and VLAN capabilities, which concentrator mode lacks.

The main architectural difference is still about whether the MX is meant to route LAN traffic locally (routed mode) or act purely as a VPN concentrator (concentrator mode).

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
MartinLL
Building a reputation

Honestly at this moment i think it comes down to if you want to full tunnel or not.

 

I do some work i larger datacenter/provider networks and i deploy most hubs in routed mode with lan bgp.

 

This allows me to follow the datacenter building blocks by connecting WAN to the PE routers categorized as "outside/untrusted" and the LAN side directly in customer context/vrf and carry that traffic across the mpls core to all distributed services.

 

This is more of a policy win rather then technical. But many providers handle segmentation this way.

MLL
RaphaelL
Kind of a big deal
Kind of a big deal

This is exactly what we wanted to do but our SE was against it. It seems that it wasn't a recommended setup

MartinLL
Building a reputation

Hm. Maybe its because LAN BGP is fairly fresh? The customers i have running on this setup works like a charm. There is also the additional benefit of not needing to have an external NAT device for the one-armed VPN-C.

MLL
iores
Here to help

Your default route is out of WAN port connecting to PE router, and you exchange all othere networks with LAN side via BGP on LAN port? What is the scale of your setup?

MartinLL
Building a reputation

Yes for the hub. Spokes brake out to internet localy.

 

You run BGP is the SDWAN as well, then configure a LAN BGP peer to the downstream router to exchange datacenter and SD-WAN routes. Bgp peering also occurs between the hub and spoke over the SD-WAN tunnel.

 

Everything from 10 spokes to 100+.

MLL
iores
Here to help

Why? Can you share any details?

iores
Here to help

What do you mean by full tunnel? The concentrator has only one interface for Terminating VPN and LAN traffic. What are design implications of such traffic mixing? What are design implications if you use hub routed mode and connect both interfaces (WAN and LAN) to the same LAN next-hop, not to PE router?

 

MartinLL
Building a reputation

Route everything back to the hub.

 

You are not mixing traffic. Its just that traffic arrives on the one armed vpnc encapsulated and leaves un-encapsulated or vise versa.

 

Now why in the world would you do that? Would you do that with any regular border firewall? And this is if i look past the technical challenges with doing this.

Or am i missunderstanding your question?

MLL
iores
Here to help

@MartinLL I am just exploring different approaches and their implications given the Meraki best practice. 

 

Could you share techincal challenges you had with this?

PhilipDAth
Kind of a big deal
Kind of a big deal

I use routed mode in 99% of my deployments.

brijenshah23
New here

have you deployed any MX as HUB in routed mode with DC-DC failover ? where both DC advertise similar routes.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels