I am totally new to Meraki and trying to learn how to deploy a hub-and-spoke network with 2 hubs: one is the physical "DC" and the other is Azure Cloud:
the so-called DC is actually a new small rack with 2 switches and around 20 servers :). The client does not have any firewall and want to use 2 x MX250 as edge firewalls
the Azure Cloud will be the backup of the "DC"
I'm just starting to read the documentation and already have a few questions:
1. From my understanding, 2 x MX250 should be configured in routed mode. Am I correct?
2. I learned from the VPN Concentrator deployment guide that one-arm concentrator is the recommended configuration for MX appliances serving as VPN termination points into the datacenter. May I know why? From the General MX Best Practices, I understand that it ensures easy integration into an existing network that may already have layer 3 functionality and edge security in place. Is that the reason why one-arm concentrator is recommended compared to routed mode? Is there any features that one-arm concentrator mode supports and routed mode does not?
3. I read quickly the DC-DC failover deployment guide. Is is possible that MX appliances are configured in routed mode in the DC1 and in one-arm concentrator mode in the DC2 or it should be the same mode in 2 DCs?
We have 2 DCs and we utilize two sets of MX250s for our environment with about 40 spoke networks. In each DC we have an HA pair running on 1-arm mode on the LAN. This is for all Site-to-Site VPN traffic. Then we have an HQ pair of MX250s acting as a our edge firewall routers, separate from our site-to-site VPN. This way your firewall wall is independent from your VPN traffic.