Cisco MX SD-WAN Connection Modules
Meraki sd wan deployment guide
When consulting with companies and organizations that are ready to use a cloud-managed MX WAN infrastructure, it is always my responsibility to help them understand the various connectivity models available. Available and the appropriate usage procedures. With WAN connection options evolving faster than ever, it’s important to know what options are available and more importantly help map business needs to the final design.
Too often this enduring topic is poorly planned and will result in more difficult changes later in the usage cycle. My mission here is to help break down the details of each architecture so that you understand the unique benefits of each practice approach that can serve and serve. scale your business.
MX Posts and Spoken Posts
MX devices can securely combine private and public standalone trips into a WAN device that can be moved around the globe by using a hub, speaker, and mesh connection modules. AutoVPN is the technology that gives it full power, so that’s where we start.
When AutoVPN is enabled on the MX security device network, an administrator must choose whether the device should be a hub or a talking node. The differences are significant.
MX centers automatically build VPN tunnels to all other MX hubs as well as independent MX hubs (where specific hubs have been selected) in the organization. This is the default setting so each MX will try to peer with the other MXs left in hub mode. This can lead to scaling challenges as we will discuss below.
MX speakers only build VPN tunnels to MX hubs. In addition, they only tunnel to specially designed hubs on the Site-to-Site VPN configuration page in Dashboard.
Several locations can be added and prioritized in descending order. A common use case is to add a main MX data center as the main center, followed by a secondary or DR data center for failing to any shared subnet.
Another common practice for defining hub priority is based on geography. If the hub is in London, for example, it may have its main base in the country with an out-of-country (or continental) MX hub listed as the high school. Using this method allows all radios to connect to their favorite hubs, which can be widely transmitted.
Finally, there is no hard limit to the number of buses that can be added to a speaker, although most production radios use 1-3.
Okay, now that we’ve got the center and radial definitions out of the way, let’s take a look at some of the different ways we can put the pieces together.
WAN Hub Architecture and Spoke
The most commonly used MX WAN model is the classic hub and spoke (H + S) design. In the H + S model, high-end data centers and data sites are selected as WAN hubs and all other sites serve as hubs.
For organizations with most applications available from data centers, the H + S configuration can be natural security. I often see basic data centers and DR stations organized as remote centers and offices, branches, and production areas organized by spokespersons directly connected to the two strike centers.
Selected sites such as the website may not be limited to data centers, however. Companies that receive services from their company sites can choose to recommend inactive MX to be part of the meeting by directly contacting all other sites.
H + S Approx
Although simple, the core structure of speech brought some power and can not be ignored. For example, a well-designed program called Toolkit provides a very large size.
With large data center devices, the number of easily supported nodes can measure thousands. Large DC boxes mean that spoken nodes can be small devices as they only need to build IPSec slots in limited international service areas.
The centralized design of the hub also allows for the rapid deployment of any additional remote MXs. Because the equivalent AutoVPN configuration is consistent across locations, this model fits nicely into the context of the template – further facilitating high-speed deployment.
Full WAN architecture
The whole network – unicorn engineers WAN everywhere. Why couldn’t we if we could simply rotate permanent tunnels between individual WAN nodes?
Before we answer that, let’s first talk about what a network is. In complete MX network architectures, each node creates a permanent IPSec tunnel for all other MXs. This is the default setting when AutoVPN is enabled because each MX unit switches to hub mode by default, similar to the following diagram.