WAN Topology, Outgrown MX100

MerakiLife
Here to help

WAN Topology, Outgrown MX100

Hi All,

 

After a few tips for the next stages of our Meraki Journey and WAN topology.
We started as a 200 user org with a Meraki Full Stack (MX, MS, MR, MV, MDM)

We are now at 500 users and the MX100 is squeeling and hitting 100% utilization on CPU frequently!

We have 3 sites,

MX100 (HA pair) at HQ with Production virtual servers 

MX84 at DataCentre (DR/failover site)
MX84 at remote branch (no servers just users)

All 3 sites are connected via Auto VPN.  This has served us well for 3 years.

We used to use the MX100 as a client VPN server and then played with Meraki Anyconnect but had no luck so we were sold 2 vFTD (Virtual Cisco Firepowers) to do the Anyconnect piece in a more reliable manner than Meraki.
The MX's now NAT VPN traffic to vFTD's.
I'm looking to re-design this all as I think we need bigger hardware and more bandwidth.
- Do I get a p2p (LAN extension between the HQ and DC) and leave the MX for Internet and VPN only - this will make DR better as no-re-ip'ing of VMs)

- Do I get a MX 250 or 105 and add second leased line

- Do i use the virtual firepowers and retire the MX's as let's face it the MX isn't the best Meraki product

- DO I get a rebate on the vFTD's and buy a physical FTD appliance?
- Do I do something completely different?
- Ideally I'd also like the anyconnect VPN to flip between sites if a heart beat is lost or we have an outage - i've been looking at cloudflare for DNS failover.


Anyone have any better solutions/ideas?

2 Replies 2
cmr
Kind of a big deal
Kind of a big deal

You could get a physical FTD appliance for client VPN and Enterprise edge and re-purpose the MX100s as VPN concentrators.  We use MXs at all our sites for WAN links, but use a different firewall for the client VPN and other enterprise edge features, it works well for us!

If my answer solves your problem please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal

The replacement for the MX100, the MX105, is rated for 750 users and  250 client VPN users.

The MX250 is rated for 2,000 users and 500 client VPN users.

https://meraki.cisco.com/product-collateral/mx-sizing-guide/?file 

ps. The MX84 has been replaced by the MX85.

 

I would say about 90% of my customers using AnyConnect on MX these days (over FTD or ASA).  The most common "new" deployment is using SAML against AzureAD or Cisco Duo.  I feel pretty confident with it, having so many people using this configuration.

 

I typically use QinQ (which allows VLANs to be transported over them) point-to-point circuits for DR.  Ideally, a pair of them (for failover) and use LACP to channel them together.  Depending on how serious you are with your DR, the 2 circuits would be diverse.

 

When I use MX in NAted mode for AutoVPN, I typically get a cheap domestic circuit for a backup (ideally from a different provider) in case the main primary circuit fails.

 

 

AnyConnect already supports backup servers.  You just configure it in the AnyConnect profile.  Nothing special is needed.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels