I did this for an organisation and the model I followed had the branch VLAN 300 on a WAN port. The HQ MX was in VPN concentrator mode with a L3 switch terminating VLAN 300 and a separate set of firewalls as the corporate edge. After leaving another team thought they could simplify it and maintain functionality, but ended up realising that it was the only sensible way to get it all working.
... View more
