A one-armed VPN concentrator is a configuration mode for a pair of Meraki MX appliances where they are connected only via their Internet ports. This mode is typically used when the MX pair is deployed in a high availability (HA) setup and is designed to optimize VPN traffic routing.
In this configuration, both ingress and egress packets for VPN traffic are sent through the same interface on the MX. This means that the MX pair acts as a single logical unit for handling VPN traffic, even though they are physically separate devices.
To enable this mode, you would typically connect the Internet ports of both MX appliances to the same network switch or router. This allows both MX units to have access to the Internet and establish VPN connections.
It is important to note that in one-armed VPN concentrator mode, only VPN traffic is routed to the MX appliances. This means that regular non-VPN traffic, such as internet browsing or email, would not be processed by the MX and would follow the normal routing path.
To ensure that traffic is properly routed over the VPN tunnel, a new route must be added on the layer 3 switch that connects to the MX pair. This route should specify the destination subnet or IP range for the VPN traffic and the next hop as the IP address of the MX appliance.
For example, let’s say you have a remote office that needs to connect to the main office over a VPN. The remote office has a layer 3 switch that connects to the MX pair. To route traffic over the VPN tunnel, you would add a route on the layer 3 switch that directs traffic destined for the main office subnet (or specific IP addresses) to the IP address of the MX appliance.
Once the route is configured, any traffic from the remote office that matches the specified destination will be sent to the MX appliance, which will then handle the encryption and routing over the VPN tunnel.
A one-armed VPN concentrator is a configuration mode for a pair of MX appliances where they are connected via their Internet ports and only VPN traffic is routed to the MX. This mode allows for efficient and centralized handling of VPN traffic in an HA setup.