MS450

RyanJunk
Conversationalist

MS450

Hi,

 

I’m planning a set up of 6 x MX450s configured as AutoVPN Hubs split across 2 separate 10Gbps bearers, 3 on each although I intend to cross connect on the alternate WAN port in the event of one of the bearers failing.

 

Both of the ISPs CPE only have a single SFP+ port and 1 of them only provides 5 useable IP addresses.

 

Would it be possible to create a separate network in Merkai and have a pair of MS450s connecting the 2 bearers to the 6 x MX450s in 2 separate VLANS running their own DHCP so all they all the MX450s are NAT’d to a single address per bearer?

 

Or is there a much better way if doing Thais?

 

Being able to NAT is pretty key as it means all the traffic from clients at spoke sites will

appear on the internet from only 2 public ally facing IP addresses which makes configuring the firewall of our externally provided RADIUS and DNS simple.

2 REPLIES 2
KarstenI
Kind of a big deal
Kind of a big deal

It seems to me that there are quite many open points in your design.

  1. You are aware that you need one meraki network per MX if you want them all active as a VPN hub?
  2. Putting the MS in front of the MXes will not work as they can not do any NAT.
  3. You have a BOM worth of more than $100k and you want to go with an ISP connection with only 5 usable addresses?
  4. When you are talking about secondary WAN, you probably plan for routed mode. Did you also consider one-armed concentrator for this setup?
  5. If you want to let all traffic apear from from one or two IPs, putting a dedicated non-meraki firewall in front of the MX concentrators will probably make your life much easier.
PhilipDAth
Kind of a big deal
Kind of a big deal

Could you explain your requirements instead?  For example, how many remote sites are you trying to support?  How many DCs do you have?  How many users are you trying to support?

 

It's hard to understand how you settled on 6 x MX450's, and all the other bits without understanding what you are trying to achieve.

 

Some documents that are related to your questions are:

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide 

https://www.willette.works/active-active-meraki-sd-wan-headends/ 

 

Using 6 x MX450's suggest to me you may have around 5,000 remote sites.  If so you'll probably need to use BGP as well.

https://documentation.meraki.com/MX/Networks_and_Routing/BGP 

 

I also know that Meraki would love to help you with the design for such a large opportunity.  I would reach out to your local Meraki rep to get that help.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels