Meraki

Community

VPN Concentrator Operating Mode Comparison

Solved
whistleblower
Building a reputation
‎Oct 31 2018 12:00 PM
‎Oct 31 2018 12:00 PM

VPN Concentrator Operating Mode Comparison

hi guys,

 

although I`ve read the VPN Concentrator Deployment Guide several times now, but I still don`t get or understand the difference between the deployment in One-Armed Concentrator vs. the Concentrator in NAT Mode neither said, I`m not very clear where the advantages and disadvantages of each designs are?!

 

would be great if anyone could clarify that to me... thanks for any feedback in advance!

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 31 2018 3:10 PM
‎Oct 31 2018 3:10 PM

I could probably write a chapter for a book answering this question.  To make the answer shorter I can going to assume:

  • The hub will be active/wam spare (not active/active or dual DC).
  • There are less than 1500 spokes.
  • There is no MPLS.  There is only AutoVPN over the Internet.

 

 

You would probably use One armed VPN concentrator mode if:

  • You have an existing firewall.
  • You have an HA Internet setup.
  • You have a layer 3 network core
  • You need BGP or OSPF support exchange routes.

You would probably use NAT mode if:

  • You can plug the MX into more than one Internet circuit so the MX can provide Internet HA itself.
  • You need to support clients behind the MX accessing the Internet, or you want to be able to apply Meraki group to those users.

 

Personally, I mostly use NAT mode myself.  I mostly do deployments with less than 200 spokes.  I nearly always use the DC's primary Internet connection, and get another "out of band" domestic grade Internet circuit in case of catastrophic failure.  I call it cheap insurance.

I also avoid using dynamic routing in Meraki deployments (I like to keep them Meraki simple).

 

 

I would also like to recommend the Meraki MX sizing guide by Aaron Willette, which you should regard as a Cisco Meraki God.

http://www.willette.works/meraki-mx-sizing/

View solution in original post

5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 31 2018 3:10 PM
‎Oct 31 2018 3:10 PM

I could probably write a chapter for a book answering this question.  To make the answer shorter I can going to assume:

  • The hub will be active/wam spare (not active/active or dual DC).
  • There are less than 1500 spokes.
  • There is no MPLS.  There is only AutoVPN over the Internet.

 

 

You would probably use One armed VPN concentrator mode if:

  • You have an existing firewall.
  • You have an HA Internet setup.
  • You have a layer 3 network core
  • You need BGP or OSPF support exchange routes.

You would probably use NAT mode if:

  • You can plug the MX into more than one Internet circuit so the MX can provide Internet HA itself.
  • You need to support clients behind the MX accessing the Internet, or you want to be able to apply Meraki group to those users.

 

Personally, I mostly use NAT mode myself.  I mostly do deployments with less than 200 spokes.  I nearly always use the DC's primary Internet connection, and get another "out of band" domestic grade Internet circuit in case of catastrophic failure.  I call it cheap insurance.

I also avoid using dynamic routing in Meraki deployments (I like to keep them Meraki simple).

 

 

I would also like to recommend the Meraki MX sizing guide by Aaron Willette, which you should regard as a Cisco Meraki God.

http://www.willette.works/meraki-mx-sizing/

In response to PhilipDAth
whistleblower
Building a reputation
‎Nov 2 2018 12:03 PM
‎Nov 2 2018 12:03 PM

@PhilipDAth THANK you very much for this detailed explanation with examples and of course the link to Aaron Willette! This helps me a lot.

0 Kudos
In response to PhilipDAth
whistleblower
Building a reputation
‎Nov 8 2018 11:38 PM
‎Nov 8 2018 11:38 PM

@PhilipDAth could I ask you probably one more question on this?

 

let`s say I deploy an AutoVPN over Internet (Hub & Spoke) to a HQ/DC where the MX (HA) is configured to act in NAT-Mode, would it also be possible ot set a 0.0.0.0/0 Route to a 3rd Party Firewall conncted to a local VLAN on the MXs and route all User Internet Traffic over it? Or could there be an issue with the re-routing?!

0 Kudos
In response to whistleblower
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 9 2018 12:35 AM
‎Nov 9 2018 12:35 AM

If you need to do that then you would probably be better using VPN concentrator mode behind the upstream firewall.  The default route will then be that device automatically.

0 Kudos
In response to PhilipDAth
AndrewHaines76
Conversationalist
‎Mar 29 2021 12:49 PM
‎Mar 29 2021 12:49 PM

are you inferring that you use the concentrator as a gateway for DC/HQ clients? we are early in our deployment of SD-WAN and want to make sure we have the right concentrator option.   Thx.

Andrew Haines
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.