A secure, reliable VPN is critical when you’re connecting multiple sites to shared applications and services. A VPN concentrator serves as the central point where encrypted connections from branch locations terminate, allowing traffic to move securely between sites and core resources.

In a Cisco Meraki environment, any MX security and SD-WAN appliance can be configured as a VPN concentrator, with models typically sized based on VPN throughput and connection demands. In a hub-and-spoke topology, a central MX acts as the hub, while branch MX appliances connect as spokes, centralizing routing, simplifying management, and supporting scalable growth.

The sections below unpack how this architecture works and what to consider when configuring a Meraki VPN concentrator correctly.

Understanding The Meraki VPN Concentrator

A Meraki VPN concentrator is a Cisco Meraki MX security and SD-WAN appliance configured to terminate and manage VPN connections at a central location. In larger networks, it serves as the hub that securely aggregates encrypted traffic from branch sites before it reaches core applications and services.

By centralizing VPN termination, the Meraki VPN concentrator simplifies the management of site-to-site connectivity across multiple locations. Instead of maintaining complex point-to-point tunnels, AutoVPN allows spokes to connect back to a single hub, reducing configuration overhead while improving consistency, visibility, and control across the entire network.

Advantages Of Hub-and-Spoke VPN Topology 

A hub-and-spoke VPN topology offers several practical advantages when connecting multiple sites to a central network. By design, it establishes a clear hierarchy in which branch locations rely on a central hub for VPN connectivity.

Below are the key reasons this model is widely used in multi-site environments:

1. Centralized Control And Policy Enforcement 

In a hub-and-spoke VPN topology, all branch-site connections terminate at a central Meraki MX that serves as the VPN concentrator. This allows you to define and enforce routing, security, and access policies from a single location.

By centralizing control, you reduce configuration inconsistencies across sites and simplify ongoing management. Changes can be made at the hub and applied uniformly, helping maintain predictable behavior and stronger security across the entire VPN network.

2. Predictable Traffic Flow Between Sites

A hub-and-spoke topology creates clearly defined traffic paths between branch locations and centralized resources. Instead of traffic taking multiple possible routes, VPN traffic is directed through the hub, making network behavior easier to understand.

This predictability simplifies troubleshooting and planning. When traffic flows follow consistent patterns, it becomes easier to diagnose connectivity issues, manage routing decisions, and maintain stable performance across sites.

3. Easier Scare As Sites Are Added

As your network grows, adding new locations becomes far more straightforward in a hub-and-spoke design. Each site connects directly to the central hub instead of forming VPN tunnels with every other location.

This approach reduces configuration effort and limits the risk of errors as the network grows. It also allows you to plan capacity at the hub in advance, ensuring the VPN concentrator can support future sites without redesigning the entire topology.

4. Simplified Redundancy And Failover Design 

High availability is easier to design when VPN termination is centralized at the hub. Rather than implementing complex failover logic at every site, redundancy can be focused on the VPN concentrator.

Meraki MX appliances support warm spare configurations, allowing a secondary device to assume traffic if the primary concentrator becomes unavailable. This approach helps maintain VPN connectivity across all sites while keeping the failover design clear and manageable.

Steps In Configuring The Meraki VPN Concentrator 

Configuring a Meraki VPN concentrator is mostly about getting the operating mode right, defining which networks should be reachable via the VPN, and ensuring upstream routing and firewall rules support stable tunnel formation.

The steps below walk you through the core Dashboard settings in the right order, from setting the MX to concentrator mode, to validating that spokes are actually passing traffic the way you expect.

Step 1: Set the Meraki MX as a VPN Concentrator

In the Meraki Dashboard, navigate to Security & SD-WAN > Configure > Addressing & VLANs. Set the MX Operating mode to VPN concentrator.

If you’re deploying a one-armed concentrator, plan to use WAN 1 as the single uplink. In this design, the concentrator sends and receives traffic on that single interface.

For reliability, it’s typically best to assign the concentrator a static IP and place it behind an edge firewall, rather than exposing it directly to the Internet.

Step 2: Establish Hub-and-Spoke VPN Topology

Go to Security & SD-WAN > Configure > Site-to-site VPN and set the VPN type to Hub (Mesh) for the concentrator network.

Next, define which “local networks” should be reachable via VPN from your spokes. These are typically the datacenter or core subnets that remote sites need to access.

At this stage, decide whether NAT traversal should be Automatic or Manual (port forwarding) based on how strict or “unfriendly” the upstream NAT and firewall environment is.

Step 3: Configure VPN Policies for Spoke Devices

On each spoke MX network, confirm it’s set up to participate as a spoke to the hub, and ensure the correct local subnets are enabled for VPN participation.

Make sure any security controls that could block desired traffic are reviewed, including firewall rules and segmentation decisions, so spokes can reach only what they should.

If you need the upstream datacenter to route traffic back to spoke subnets, decide whether to use OSPF route advertisement from the concentrator or maintain static routes upstream.

Step 4: Set Up IPsec Tunnels 

With Meraki AutoVPN, the IPsec tunnels are established automatically once the hub and spokes are correctly defined and can reach the Meraki VPN registry services.

Your job here is to ensure the upstream firewall allows required outbound connectivity for Dashboard management and AutoVPN orchestration. If you selected manual NAT traversal, confirm that the correct port-forwarding rules are configured on the concentrator.

Also, confirm that uplink health monitoring can function, since it impacts how reliably the MX detects connectivity problems and maintains stable operation.

Step 5: Verify VPN Connectivity 

In Dashboard, check the VPN status to confirm that spokes show as connected to the hub and that routes are being learned and advertised as expected.

Validate real traffic flow by testing from a spoke subnet to a hub resource, then confirm return routing from the datacenter back to the spoke subnets.

If nothing comes up, review event logs and confirm that upstream routing, NAT traversal settings, and firewall allowances match the design you’re deploying.

Best Practices For Meraki VPN Security 

Securing a Meraki VPN concentrator goes beyond basic connectivity. Strong security controls help protect sensitive data, prevent unauthorized access, and maintain the integrity of traffic flowing between sites.

The practices below focus on strengthening encryption, tightening access controls, and improving visibility to keep your VPN environment secure as it scales.

• Enforce Strong Encryption: Rely on Meraki AutoVPN’s IPsec encryption to protect data in transit between the hub and spoke sites.

• Enable Two-Factor Authentication (2FA): Use 2FA for Dashboard access to reduce the risk of unauthorized configuration changes or account compromise.

• Use Split Tunneling Sparingly: Limit split tunneling to specific use cases to avoid exposing sensitive traffic outside the VPN.

• Restrict VPN Access By IP: Apply firewall rules to limit which IP ranges can initiate or access VPN traffic.

• Update Firmware Regularly: Keep MX appliances up to date with the latest firmware to ensure security patches and stability improvements are applied.

• Monitor VPN Logs For Anomalies: Review event logs and VPN status regularly to identify unexpected behavior or failed tunnel attempts.

• Use Network Segmentation: Segment networks so VPN users and sites only access the resources they are authorized to reach.

Monitoring And Troubleshooting The Meraki VPN Concentrator 

Ongoing visibility is critical to maintaining a reliable VPN environment. The Meraki Dashboard provides centralized tools to help you monitor tunnel status, identify performance issues, and troubleshoot connectivity problems across all connected sites.

From the VPN status pages to event logs and uplink health metrics, dashboard views allow you to quickly confirm whether tunnels are established, routes are being advertised, and traffic is flowing as expected. These tools make it easier to isolate issues related to connectivity, routing, or upstream firewall behavior before they affect users.

Optimizing Your Meraki VPN Concentrator For Performance 

Optimizing a Meraki VPN concentrator starts with proper sizing and configuration, but it doesn’t stop there. As VPN traffic grows, performance depends on how well the environment is monitored and maintained over time.

Regularly reviewing tunnel status, uplink health, and routing behavior helps ensure the concentrator continues to operate efficiently under load. Keeping firmware up to date, validating firewall and NAT configurations, and adjusting settings as network demands change all play a role in maintaining strong performance and secure, reliable VPN connectivity.

Where Hummingbird Networks Fits in Meraki VPN Design

Designing and maintaining a reliable Meraki VPN concentrator requires more than following configuration steps. It also means validating the design, selecting the proper hardware, and ensuring the environment can scale as business needs change.

Hummingbird Networks supports SMB IT teams by helping plan the right hub-and-spoke architecture, deploy Meraki VPN concentrators correctly, and optimize performance after go-live. With hands-on guidance, design validation, and ongoing monitoring support, you gain confidence that your Meraki VPN environment remains secure, stable, and ready to support growth.

Maximize VPN Performance And Security With Hummingbird Networks

A well-designed Meraki VPN concentrator plays a critical role in keeping multi-site networks secure, reliable, and easy to manage. When configured correctly within a hub-and-spoke topology, it provides a scalable foundation for connecting users, applications, and locations without unnecessary complexity.

Hummingbird Networks helps ensure your Meraki VPN design delivers long-term value by combining technical expertise with hands-on support. From initial planning and deployment to ongoing optimization and monitoring, you gain a trusted partner focused on keeping your VPN environment secure, performant, and aligned with your business goals.

Ensure secure, reliable connectivity while optimizing performance across all your sites. Get expert guidance from Hummingbird Networks to simplify your Meraki VPN setup.