hi guys,
although I`ve read the VPN Concentrator Deployment Guide several times now, but I still don`t get or understand the difference between the deployment in One-Armed Concentrator vs. the Concentrator in NAT Mode neither said, I`m not very clear where the advantages and disadvantages of each designs are?!
would be great if anyone could clarify that to me... thanks for any feedback in advance!
Solved! Go to solution.
I could probably write a chapter for a book answering this question. To make the answer shorter I can going to assume:
You would probably use One armed VPN concentrator mode if:
You would probably use NAT mode if:
Personally, I mostly use NAT mode myself. I mostly do deployments with less than 200 spokes. I nearly always use the DC's primary Internet connection, and get another "out of band" domestic grade Internet circuit in case of catastrophic failure. I call it cheap insurance.
I also avoid using dynamic routing in Meraki deployments (I like to keep them Meraki simple).
I would also like to recommend the Meraki MX sizing guide by Aaron Willette, which you should regard as a Cisco Meraki God.
I could probably write a chapter for a book answering this question. To make the answer shorter I can going to assume:
You would probably use One armed VPN concentrator mode if:
You would probably use NAT mode if:
Personally, I mostly use NAT mode myself. I mostly do deployments with less than 200 spokes. I nearly always use the DC's primary Internet connection, and get another "out of band" domestic grade Internet circuit in case of catastrophic failure. I call it cheap insurance.
I also avoid using dynamic routing in Meraki deployments (I like to keep them Meraki simple).
I would also like to recommend the Meraki MX sizing guide by Aaron Willette, which you should regard as a Cisco Meraki God.
@PhilipDAth THANK you very much for this detailed explanation with examples and of course the link to Aaron Willette! This helps me a lot.
@PhilipDAth could I ask you probably one more question on this?
let`s say I deploy an AutoVPN over Internet (Hub & Spoke) to a HQ/DC where the MX (HA) is configured to act in NAT-Mode, would it also be possible ot set a 0.0.0.0/0 Route to a 3rd Party Firewall conncted to a local VLAN on the MXs and route all User Internet Traffic over it? Or could there be an issue with the re-routing?!
If you need to do that then you would probably be better using VPN concentrator mode behind the upstream firewall. The default route will then be that device automatically.
are you inferring that you use the concentrator as a gateway for DC/HQ clients? we are early in our deployment of SD-WAN and want to make sure we have the right concentrator option. Thx.