Meraki Community

ScottM_77 · ‎Mar 18 2024

Good Morning!

I'm sure this question has been asked. But, I did some searching and couldn't find the answer I'm looking for.

A high level view of our topology at our datacenter/NOC level is as follows:

Firewall

|

Content Filter

|

Layer 3 core router

|

Distribution layer

|

Access layer

We are adding a small branch. We have two option to do this in my understanding. Form a VPN peer with our existing firewall (not a Cisco or Meraki firewall). Or our preferred option is use a MX security appliance in the NOC along with a MX security appliance at the branch. We don't need redundancy or hot spares, so just the one MX on each side of the VPN tunnel. So, I have three questions.

1.) In our topology, it looks to me like the MX on the NOC side would plug into our layer 3 switch in our NOC (or even one of the layer 2 switches) and use an internal IP address. We would just need to make sure it's allowed through the firewall. Is this correct?

2.) I've read conficting options on if I'll need do any routing on the MX appiance in the NOC, but if it's forming a VPN peer with the other MX, I'm not seeing why I would?

3.) Can you mix and match the models of MX appliances that work together? For instance we have an MX84 and a MX65 that we would like to use together :).

Apologize if my questions are redundant!

Thanks for the assistance!

KarstenI · ‎Mar 18 2024

You want to provide internet access for the branches through your NOC, right?

1) Yes, you can do it that way. I would typically use a firewall DMZ. But in your setup, the internet traffic should flow through the content filter, which points to a VLAN on the Core.

2) The VPN-Concentrator only needs a default route. But your infrastructure needs routes for all branches to the VPN concentrator.

3) No Problem. Whichever model fits the branches needs. It is not the MX65 nowadays, but anything can be mixed from MX67, 68, 75, and up.

For the redundancy: With Meraki, you only need the same model MX for HA but no additional license. This makes HA quite "cheap".

ScottM_77 · ‎Mar 18 2024

Appreciate your response!

Correct, essentially we will just be providing this branch an internet connection. Also, access to the DHCP server and DNS and camera server. We have internal fiber from our NOC to the distribution switches. This branch doesn't need to even access those sites funny enough.

1.) So, if I'm thinking this through correclty I could connect our MX to our core, give it an internal IP address and let it form the autoVPN with the MX on the branch side?

2.) Since I only need the branch side to be able to access DNS and DHCP services and potentially our camera server, I'd then provide routes on the NOC side MX so the branch can get to that?

3.) Would the MX need to be connected to trunk port wiht a native VLAN tagged or access port with the VLAN I put it in?

We have very low bandwidth needs at this branch, so would use the MX65 on that side and the MX84 on the NOC side. I've worked with Meraki for years, but never the MX products, so just want to make sure I'm not overlooking anything before I begin this project.

Thanks again for your assistance!

KarstenI · ‎Mar 18 2024

1) Yes

2) so no internet for the branches? Then you only need to announce specific routes from the NOC.

3) Both the MX65 and 84 are outdated and will not run the newest firmware. MX67 is the lowest end model and MX85 the lowest end rack mount model.

ScottM_77 · ‎Mar 18 2024

2.) Yes, we do need internet for this branch, appreciate that clarification. So, I'd need routes to the internet, DNS, DHCP and cameras.

3.) Dang on the firmware! Guess we are going to need to look at new appliances if we want to go this route as well!

Thanks again for your help!

KarstenI · ‎Mar 18 2024

When the spoke MXes get the default route, they don’t need any specific routes any more. The L3 device connecting the NOC MX needs all details.

Meraki Community

Site to Site VPN Topology Question

Site to Site VPN Topology Question