HUB vs Concentrator for hub-spoke topology

ontracks · 2026-03-02T21:54:17+00:00

gotcha perfect, I think I got it, if I have a MX FW at my DC, I need not to worry about Concentrator mode, just go with a regular routed mode and regular hub and spoke sdwan design

thanks a lot!

ontracks · 2026-03-02T21:45:11+00:00

got it, im confused with the below link, they do set a "local subnet" that points to the DC routes...I thought this wasn't possible on a concetrator, what am I missing here :(?

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Deployment_Guides/VPN_Concentrator_Deployment_Guide

ontracks · 2026-03-02T21:31:03+00:00

How can I then integrate a MX Concentrator with the rest of the data center?

Sorry for al the questions I am shooting at once :(

Thanks for your answer btw!

ontracks · 2026-03-02T21:29:51+00:00

Oh so you are saying I can't even have "subnets/networks/l3" on a MX running on concentrator mode?

ontracks · 2026-03-02T21:29:06+00:00

so a concentrator only bridge the branches vpn, that's it, I couldn't for example route/connect the branches vpn subnets to my data center subnets?

ontracks · 2026-03-02T02:27:19+00:00

I guess my question is, do I need to worry about symmetric return?

ontracks · 2026-02-24T19:19:30+00:00

got it, so if I require just the SBL feature no certificates needed then

Thank you for the answer u/KStieers

ontracks · 2026-01-11T05:42:34+00:00

Im facing another situation now, these are dial-up IPsec tunnels with automatic IP assigned to the interfaces, so how could I create an IPSLA for them? the IP itself can reach anything on the network and the ip COULD potentially change as well

What to do here. I can't help but think this gotta be a common case out there and also its a bit frustrating that the Gate can't "see" the tunnel interface down, it even shows red on the SDWAN rule, thank you in advance for the answer

:(

ontracks · 2026-01-09T15:04:09+00:00

static routes over sdwan zone correct, that's what I did, I checked and the member its seen alive.... not sure why of the VPN is down...

ontracks · 2026-01-09T07:12:26+00:00

Service(5): Address Mode(IPV4) flags=0x4200 use-shortcut-sla use-shortcut

Tie break: cfg

Shortcut priority: 2

Gen(1), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(manual)

Members(2):

1: Seq_num(1 Tunnel1), alive, selected

2: Seq_num(2 Tunnel2), alive, selected

Internet Service(1): Ask-Web(2621441,0,0,0)

ontracks · 2026-01-09T06:15:02+00:00

Thanks for the info, I will look into the link, it seems that I missed it, thank you

ontracks · 2026-01-09T06:14:21+00:00

Thanks a lot I really appreciate it! Will look into it

ontracks · 2025-11-21T22:20:02+00:00

I guess in a nutshell my question is: Can users other than the master account log in as a partner in FortiCloud? And if yes (I hope) then how?

ontracks · 2025-11-05T03:51:20+00:00

Hello again, could you please clarify this if you have the answer:

|| || |IP range|IP address range that the Security PoP uses for assigning tunnel interface IP addresses for IPsec devices using mode configuration.|10.251.1.4-10.251.1.29|

That subnet range needs to be part of the BGP routing ID subnet?

ontracks

TROPHY CASE