Meraki

Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

vpn concentrator or routed mode on HUB/DC location

MirzaDz
Here to help
Tuesday
Tuesday

vpn concentrator or routed mode on HUB/DC location

Hello,

 

Planning to implement MX on the HQ/DC where is resources of company. Spoke location will route traffic destinated to private resource over vpn and communicate to the internet directly. MX on HQ will be connect to L3 switches. Plan is that L3 switches recieves route via OSPF from MX and also send routes/network from L3 switch to HQ MX and than finnaly to the spoke. On the spoke location plan is use routed mode, but what is advice for choosing mode for MXs in HQ (vpn concentrator or routed mode). Asking this because of some OSPF limitation. MXs on HQ location will be in HA. 

 

Does anyone have some advices or experience ?

 

Thank you,

Best regards,

Labels:
0 Kudos
5 Replies 5
ww
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

If you have a internet firewall on hq you could use one armed mode. 

 

If you want to use the mx as hq internet firewall you run routed mode.

 

MX ospf doesnt learn routes. If possible use bgp for dynamic routing 

In response to ww
MirzaDz
Here to help
Tuesday
Tuesday

Hello,

 

Have firewall but it is way more complicated to NAT to the MX in armed mode. Plan is to use routed mode, directly connecting to the ISPs. Spokes will access resource over vpn, and accessing internet using DIA and using some SD-wan feature to meassure qos over vpns and load balance traffic.

 

So i guess i can choose routed mode with BGP settings on vpn tunnel between hub and spokes, and with hub and l3 switches, because ospf will not learn route from l3 switches, it will just advertise. Did i understand correctly? 

 

Thank you,

Best regards

0 Kudos
In response to MirzaDz
cmr
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

It should not be complicated to NAT through the edge firewall to a one armed MX.  If you have outbound internet access through the firewall, the MX may well just work without any further changes.

0 Kudos
In response to cmr
MirzaDz
Here to help
Tuesday
Tuesday

Hello,

 

Thank you for your help and advices. What if we have more than one isp on edge firewall?

Also can i get advice regarding what i wrote above(routed mode and bgp is it possible)

 

Thank you one more time

0 Kudos
RWelch
Building a reputation
Tuesday
Tuesday

Depending on how your setup is configured as mentioned by @ww, the VPN Concentrator Deployment Guide might help you with your setup/configuration.

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide#Deploying_a_...

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.