This isn't a great use case for the MX. The biggest issue is, today, you cannot disable NAT on the MX. So you're going to have to NAT your private IP space inside your now network at the branches. This also implies you're going to have to manage port forward rules at the branches for any traffic that needs to establish a connection in the to-branch direction. Of course, if you run everything inside of VPN tunnels then you can get around this. Further, if your MPLS doesn't have Internet access then you cannot connect a WAN port of the MX84 at the DC to it. MX WAN ports require Internet access and will not forward traffic without it. Meraki does have a recommended topology for what you're trying to do, it's just not really the best solution. https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS
... View more