site-site VPN : routed mode or passthrough one arm
I have one new implementation. One hub site at HQ and 17 other sites. HQ site has HA meraki MX total two numbers. This HUB device will be placed behind palo alto firewall. they have dedicated internet connection only for this particular cctv network.
what im not understanding what to choose in this case? routed mode or passthrough for HUB site. rest of the spoke network will have direct internet connection. so im planning to choose routed mode for Meraki spoke.
if we choose one arm concentrator or passthrough it will have only internet ethernet port right. so both vpn connection and internal network communicate to this interface ip only. am i correct? so which option is better - router or passthrough if behind firewall?
Since the MX at your hub is not acting as a firewall, I would probably do it in passthrough mode and yes it will just have one cable and you would put it on your LAN.
If the MX is only being used to terminate SD-WAN, and you want the Palo Alto to do all the routing and provide security, the VPN concentrator mode would be a good fit.
To make this work reliably, have the PA firewall forward a UDP port (anything other 1024) to the MX, and configure the MX to use that port.
