site-site VPN : routed mode or passthrough one arm
I have one new implementation. One hub site at HQ and 17 other sites. HQ site has HA meraki MX total two numbers. This HUB device will be placed behind palo alto firewall. they have dedicated internet connection only for this particular cctv network.
what im not understanding what to choose in this case? routed mode or passthrough for HUB site. rest of the spoke network will have direct internet connection. so im planning to choose routed mode for Meraki spoke.
if we choose one arm concentrator or passthrough it will have only internet ethernet port right. so both vpn connection and internal network communicate to this interface ip only. am i correct? so which option is better - router or passthrough if behind firewall?
Since the MX at your hub is not acting as a firewall, I would probably do it in passthrough mode and yes it will just have one cable and you would put it on your LAN.
so it means one leg only will be there in MX. this interface leg will be internet type right and not LAN type. am i correct?
what IP should i have to provide here? it will be one single ip right?
May I know the traffic flow in this case from local subnet to remote site and from remote site to local subnet inside to outside Localsubnet --> palo alto --> MX --> VPNtunnel --> remotesubnet
outside to inside? RemoteSubnet--> VPNTunnel -->bypassthroughPaloAlto-->MX-->PAloalto-->Localsubnet
i didnt understand outside to inside path with single interface leg? how MX route the traffic if route option is not available.
If the MX is only being used to terminate SD-WAN, and you want the Palo Alto to do all the routing and provide security, the VPN concentrator mode would be a good fit.
To make this work reliably, have the PA firewall forward a UDP port (anything other 1024) to the MX, and configure the MX to use that port.
