Home > Security Appliances > Deployment Guides > Configuring VPN Concentrator for the Data Center

Configuring VPN Concentrator for the Data Center

You have two options for deploying an MX series at your data center: either in VPN Concentrator or NAT mode. Use the table below to choose the appropriate mode.

Deployment Mode

Recommended When . . .

VPN Concentrator
(1-Armed)

There is already a firewall in the HQ/data center. The MX is simply a VPN concentrator for the site-to-site VPN traffic, which can also advertise VPN routes via OSPF.

NAT

The MX is the Layer 7 application firewall in the HQ/data center.

Deploying VPN Concentrator (1-Armed) mode

In this mode, simply connect the Internet1 port of the MX to the desired VLAN at the HQ/data center and leave the LAN ports unconnected, as in the following example:


In this example, the HQ has 3 VLANs:

  • VLAN 0: 192.168.0.252/29
  • VLAN 1: 192.168.1.0/24
  • VLAN 2: 192.168.2.0/24

There are also three branches:

  • Branch 1: 192.168.11.0/24
  • Branch 2: 192.168.12.0/24
  • Branch 3: 192.168.13.0/24

Configuring the MX

  • Set the IP address of the MX: Connect MX's Internet1 port to VLAN 0, and (using the local wired.meraki.com page) statically set the MX IP address to 192.168.0.253/30, with the default gateway set to 192.168.0.254. You can use the same DNS servers as you use for the rest of your network (with an internal/private or a public DNS address such as 8.8.8.8).

    Make sure that the LAN ports are unplugged!

  • Enable VPN Concentrator mode: Choose Configure > Addressing and VLANs > Mode > Passthrough or VPN Concentrator.

     
  • Advertise the HQ subnets: The HQ MX, which is the VPN concentrator, needs to advertise the HQ subnets to the branch sites. This allows MX devices at the branch networks to receive routing information about the HQ and update their route maps for the newly available subnets through the VPN tunnel. By enabling VPN on your HQ subnets, you allow the Dashboard to advertise these subnets to all other MX devices that are part of the site-to-site mesh network. To advertise subnets:
    • Choose Configure > Site-to-site VPN and ensure that VPN is enabled.
    • Specify each Subnet that the concentrator will advertise (using CIDR) notation, and specify a descriptive Name for each:

       
  • Add routes to the HQ Layer 3 switch: You need to instruct the HQ Layer 3 switch to route any traffic destined for the branches through the MX VPN Concentrator. For the three branches in our example, here are the commands you need to enter on a Cisco Layer 3 switch:
ip route 192.168.11.0 255.255.255.0 192.168.0.253
ip route 192.168.12.0 255.255.255.0 192.168.0.253
ip route 192.168.13.0 255.255.255.0 192.168.0.253 

Testing

You should be able to ping any of the HQ subnets from one the branches.

Deploying in NAT mode

In this mode, you must connect the Internet1 port to your local ISP connection, and then connect any of the LAN ports to your local network, as illustrated in the following example.


In this example, the HQ has 3 VLANs:

  • VLAN 0: 192.168.0.252/30
  • VLAN 1: 192.168.1.0/24
  • VLAN 2: 192.168.2.0/24

There are also three branches:

  • Branch 1: 192.168.11.0/24
  • Branch 2: 192.168.12.0/24
  • Branch 3: 192.168.13.0/24

Configuring the MX

  • Set the IP address of the MX: Connect the MX's Internet1 port to the interface to the local ISP, and statically set the MX Internet1 IP address to 192.168.0.253/30, with the default gateway set to 192.168.0.254. You can use the same DNS servers as you use for the rest of your network (with an internal/private or a public DNS address such as 8.8.8.8).
  • Enable NAT mode: Choose Security appliance > Configure > Addressing and VLANs > Mode > Network Address Translation (NAT).
    • Click the Local LAN subnet:
    • In the Subnet field, enter 192.168.0.254/30.
    • In the MX IP field, enter 192.168.0.254.
    • Unless VPN connectivity to the /30 subnet is desired, set In VPN to no:
  • Add static LAN routes: The HQ MX needs to know about the additional two subnets behind the Layer 3 switch at the HQ. This information is required to route packets destined for these two subnets. Also, the Dashboard uses this information to advertise the HQ routing information to remote branch MXs. For example, if someone at Branch 1 wants to connect to a file server at the HQ (VLAN1, 192.168.1.15), the remote MX at Branch 1 must know that the 192.168.1.0/24 subnet is located at the HQ. By entering static LAN routes at the HQ (see below), you allow the Dashboard to advertise these subnets to all other MX devices that are part of the site-to-site mesh network.
    • To add static LAN routes, still under Addressing and VLANs, click Add a static route.
    • Enter the Name, Subnet, and Gateway IP fields (assuming that 192.168.0.252 is the Layer 3 switch's IP address).
    • Set In VPN to Yes:
    • Repeat as needed for the remaining static routes.

Configuring the HQ Layer 3 switch

You need to configure the HQ Layer 3 switch to route any traffic destined for the branches to the MX VPN Concentrator so that the traffic can be tunneled through the VPN. For the three branches in our example, below are the commands you need to enter on a Cisco Layer 3 switch:

ip route 192.168.11.0 255.255.255.0 192.168.0.254
ip route 192.168.12.0 255.255.255.0 192.168.0.254
ip route 192.168.13.0 255.255.255.0 192.168.0.254 

Testing

You should be able to ping any of the HQ subnets from one the branches.

 
You must to post a comment.
Last modified
16:56, 10 Oct 2016

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 4176

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case