vpn concentrator or routed mode on HUB/DC location

MirzaDz
Getting noticed

vpn concentrator or routed mode on HUB/DC location

Hello,

 

Planning to implement MX on the HQ/DC where is resources of company. Spoke location will route traffic destinated to private resource over vpn and communicate to the internet directly. MX on HQ will be connect to L3 switches. Plan is that L3 switches recieves route via OSPF from MX and also send routes/network from L3 switch to HQ MX and than finnaly to the spoke. On the spoke location plan is use routed mode, but what is advice for choosing mode for MXs in HQ (vpn concentrator or routed mode). Asking this because of some OSPF limitation. MXs on HQ location will be in HA. 

 

Does anyone have some advices or experience ?

 

Thank you,

Best regards,

5 Replies 5
ww
Kind of a big deal
Kind of a big deal

If you have a internet firewall on hq you could use one armed mode. 

 

If you want to use the mx as hq internet firewall you run routed mode.

 

MX ospf doesnt learn routes. If possible use bgp for dynamic routing 

MirzaDz
Getting noticed

Hello,

 

Have firewall but it is way more complicated to NAT to the MX in armed mode. Plan is to use routed mode, directly connecting to the ISPs. Spokes will access resource over vpn, and accessing internet using DIA and using some SD-wan feature to meassure qos over vpns and load balance traffic.

 

So i guess i can choose routed mode with BGP settings on vpn tunnel between hub and spokes, and with hub and l3 switches, because ospf will not learn route from l3 switches, it will just advertise. Did i understand correctly? 

 

Thank you,

Best regards

cmr
Kind of a big deal
Kind of a big deal

It should not be complicated to NAT through the edge firewall to a one armed MX.  If you have outbound internet access through the firewall, the MX may well just work without any further changes.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
MirzaDz
Getting noticed

Hello,

 

Thank you for your help and advices. What if we have more than one isp on edge firewall?

Also can i get advice regarding what i wrote above(routed mode and bgp is it possible)

 

Thank you one more time

RWelch
A model citizen

Depending on how your setup is configured as mentioned by @ww, the VPN Concentrator Deployment Guide might help you with your setup/configuration.

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide#Deploying_a_...

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels