Meraki

Community

VPN Concentrator design choice

Solved
suneq
Getting noticed
‎May 31 2021 4:04 PM
‎May 31 2021 4:04 PM

VPN Concentrator design choice

Hi guys,

 

I am totally new to Meraki and trying to learn how to deploy a hub-and-spoke network with 2 hubs: one is the physical "DC" and the other is Azure Cloud:

  • the so-called DC is actually a new small rack with 2 switches and around 20 servers :). The client does not have any firewall and want to use 2 x MX250 as edge firewalls
  • the Azure Cloud will be the backup of the "DC"

 

I'm just starting to read the documentation and already have a few questions: 

1. From my understanding, 2 x MX250 should be configured in routed mode. Am I correct?

2. I learned from the VPN Concentrator deployment guide that one-arm concentrator is the recommended configuration for MX appliances serving as VPN termination points into the datacenter. May I know why? From the General MX Best Practices, I understand that it ensures easy integration into an existing network that may already have layer 3 functionality and edge security in place. Is that the reason why one-arm concentrator is recommended compared to routed mode? Is there any features that one-arm concentrator mode supports and routed mode does not?

3. I read quickly the DC-DC failover deployment guide. Is is possible that MX appliances are configured in routed mode in the DC1 and in one-arm concentrator mode in the DC2 or it should be the same mode in 2 DCs?

 

Many thanks.

 

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 31 2021 4:24 PM
‎May 31 2021 4:24 PM

I would use routed mode for your DC.

Azure will use VPN concentrator mode.

 

The two systems will use unique subnets.  So Azure will have different subnets to on-premise.

 

You don't need to worry about DC to DC failover - the clients will have to decide which servers to connect to - Azure or on-premise.

View solution in original post

3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 31 2021 4:24 PM
‎May 31 2021 4:24 PM

I would use routed mode for your DC.

Azure will use VPN concentrator mode.

 

The two systems will use unique subnets.  So Azure will have different subnets to on-premise.

 

You don't need to worry about DC to DC failover - the clients will have to decide which servers to connect to - Azure or on-premise.

In response to PhilipDAth
suneq
Getting noticed
‎May 31 2021 4:34 PM
‎May 31 2021 4:34 PM

That's cool, thanks for your swift reply. 

0 Kudos
KRobert
Head in the Cloud
‎Jun 1 2021 5:04 AM
‎Jun 1 2021 5:04 AM

Here is a good article on MX Sizing and how to choose the best option for your setup. https://www.willette.works/meraki-mx-sizing/

We have 2 DCs and we utilize two sets of MX250s for our environment with about 40 spoke networks. In each DC we have an HA pair running on 1-arm mode on the LAN. This is for all Site-to-Site VPN traffic. Then we have an HQ pair of MX250s acting as a our edge firewall routers, separate from our site-to-site VPN. This way your firewall wall is independent from your VPN traffic.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2026 Cisco Systems, Inc.