VPN Concentrator design choice

SOLVED
suneq
Getting noticed

VPN Concentrator design choice

Hi guys,

 

I am totally new to Meraki and trying to learn how to deploy a hub-and-spoke network with 2 hubs: one is the physical "DC" and the other is Azure Cloud:

  • the so-called DC is actually a new small rack with 2 switches and around 20 servers :). The client does not have any firewall and want to use 2 x MX250 as edge firewalls
  • the Azure Cloud will be the backup of the "DC"

 

I'm just starting to read the documentation and already have a few questions: 

1. From my understanding, 2 x MX250 should be configured in routed mode. Am I correct?

2. I learned from the VPN Concentrator deployment guide that one-arm concentrator is the recommended configuration for MX appliances serving as VPN termination points into the datacenter. May I know why? From the General MX Best Practices, I understand that it ensures easy integration into an existing network that may already have layer 3 functionality and edge security in place. Is that the reason why one-arm concentrator is recommended compared to routed mode? Is there any features that one-arm concentrator mode supports and routed mode does not?

3. I read quickly the DC-DC failover deployment guide. Is is possible that MX appliances are configured in routed mode in the DC1 and in one-arm concentrator mode in the DC2 or it should be the same mode in 2 DCs?

 

Many thanks.

 

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

I would use routed mode for your DC.

Azure will use VPN concentrator mode.

 

The two systems will use unique subnets.  So Azure will have different subnets to on-premise.

 

You don't need to worry about DC to DC failover - the clients will have to decide which servers to connect to - Azure or on-premise.

View solution in original post

3 REPLIES 3
PhilipDAth
Kind of a big deal
Kind of a big deal

I would use routed mode for your DC.

Azure will use VPN concentrator mode.

 

The two systems will use unique subnets.  So Azure will have different subnets to on-premise.

 

You don't need to worry about DC to DC failover - the clients will have to decide which servers to connect to - Azure or on-premise.

That's cool, thanks for your swift reply. 

KRobert
Head in the Cloud

Here is a good article on MX Sizing and how to choose the best option for your setup. https://www.willette.works/meraki-mx-sizing/

We have 2 DCs and we utilize two sets of MX250s for our environment with about 40 spoke networks. In each DC we have an HA pair running on 1-arm mode on the LAN. This is for all Site-to-Site VPN traffic. Then we have an HQ pair of MX250s acting as a our edge firewall routers, separate from our site-to-site VPN. This way your firewall wall is independent from your VPN traffic.
CMNO, CCNA R+S
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels