When is a MX VPN Concentrator *needed*?


When is a MX VPN Concentrator *needed*?

Does anyone know of any guidelines regarding when deploying separate MXes for VPN concentrators is strongly recommended (i.e., rather than using edge MXes to terminate the VPNs)?


Is it number of remote sites, number of remote-access users, throughput related, features enabled, or some combination, perhaps?  


Thank you for any assistance possible!  Without understanding more deeply, I’m unable to determine under what conditions it’s critical to add MXes, vs. situations where the cost/benefit relationship may not be sufficient for the customer.


Thank you!

Kind of a big deal

I'd say it's usually the consequence of the requirements of the deployment. When there already is a firewall/or NAT device in place you usually deploy an MX just as concentrator. Usually this is in central datacenters where MX isn't always feature rich enough for all security requirements or where a client may not want to touch that part of the setup and just "bolt on" the AutoVPN for branches.

Thanks for the reply, Brecht.  


Yes, thank you: that particular situation is very clear.  


However, I've also been told 'Unless the MXes are in VPN Concentrator Mode, you have some limitations on the VPN Loadbalancing side'.  


I've asked for clarification on this, but haven't heard anything more.  Also wondering what other issues (throughput?  features enabled?  #VPNs? etc.) there may be that might affect the answer.  


Thank you, 


Kind of a big deal

I have no idea what that refers to. It may be referring to the distinction between a One-armed concentrator and a NAT-mode concentrator. Only the second one can do SD-WAN (for the subnets on the LAN-side).

Hi again, Brecht.


I received this clarification: 'in the SD-WAN policies you are able to configure a primary uplink, that only is used for outgoing traffic, the Hub MX will always use its primary uplink instead of complying with the SD-WAN Policies.'


Does this help clarify it?


Kind of a big deal
Kind of a big deal

A one armed concentrator only has one uplink, so I don't think this makes a difference?

Kind of a big deal

You need VPN concentrator mode if:

* You need BGP (often because you have more than one DC)

* You have another firewall and you want to use this behind it, and only to terminate VPNs.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.