Meraki

Community

Azure & Meraki Planning Traffic

Stuart_Smiles
Comes here often
Friday
Friday

Azure & Meraki Planning Traffic

Hi, 

 

I am looking for some guidance as to what is reasonable to expect in Azure for VMX merakis in routed mode and in concentrator mode. 

 

I understand that in "Routed mode", you get 2 interfaces ( 1gb wan and 1gb  lan ) at effectively 1 gb each, what is the expected throughput that can be estimated? 

 

In concentrator mode there is a single 1gb interface to the VM that does both the "lan" and "wan", so effectively 500mb in and same out. 

 

Q1)what is the expected/ confirmed throughput to plan based on for each of these configs please ? 

 

Q2)

What are the plans / options for scaling up, faster speeds, making faster interfaces for devices to operate in Azure, as there are a number of hosts sending traffic to the merakis, meaning there is more traffic than can be dealt with to reduce the bottleneck of interface speed, in the sane way as in prem interfaces have moved to faster on core switches.  

 

Q3)

Mtu & Ipv6, [on or off]

I also have seen a number of references to optimal MTU in azure being at 1400 where VPN is used. 

In the meraki portal, i see dialogue boxes about ipv6 not being supported over vpn site to site tunnels. 

 

" VPN and MTU

If you use VMs that perform encapsulation (like IPsec VPNs), there are some other considerations regarding packet size and MTU. VPNs add more headers to packets. The added headers increase the packet size and require a smaller MSS.

 

For Azure, we recommend that you set TCP MSS clamping to 1,350 bytes and tunnel interface MTU to 1,400. For more information, see the VPN devices and IPsec/IKE parameters page. "

 

source:

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-tcpip-performance-tuning?sou...

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site_to_Site_VPN_tunnels_to_Azure_V...

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Troubleshooting

 

[Point back to Microsoft guide above ] 

 

Q4)

Where is the equivalent of the "Cisco Safe blueprint" applied to  Cisco Meraki in Azure please? 

 

q5)

More detailed Documentation, I am looking to read / find. 

 

Design guidance: 

 

Multiple meraki's / subscriptions, vnets and routing between them.

 

Higher throughput hosts, connections between vmx devices, Azure vnets, site to site vpn's 

 

Traffic optimisation and guidance. 

 

Higher speeds, e.g. managing groups of hosts and sustained traffic throughput with meraki 

 

Investigations of Interruptions to traffic forwarding, [ suspected due to convergence when routes update / change & route summarisation /  notification suppression  】

 

Gathering logging information for investigating issues / setup using log information available in the meraki portal. 

 

Any useful books / articles to read / review, anything you think / suggest ? 

 

Thanks 

Stuart 

 

0 Kudos
1 Reply 1
Mloraditch
Kind of a big deal
Kind of a big deal
yesterday
yesterday

I'm going to answer what I can:

Q1) This completely depends on your environment. I can tell you a VMX doing nothing (i.e. freshly deployed before any traffic is sent to it) is de minimis, but in a live environment, this is entirely related to what you have in azure, if you are using the vMX just for site to site traffic or if you are using it as  full firewall as well.
Q2) You can upgrade your license from S to M to L, XL has been discontinued. You would have to redeploy the VMX to do this, but the config would be saved in the dashboard. Its functionally equivalent to swapping MX models in a network.
Q3) I've never had to tune anything and the documents you link are referring to 3rd party vpn setups not native Meraki SD-WAN. My environments are pretty simple so others may have some thoughts. 

Q4) I'm not aware of any Cisco Safe guide for Meraki.
Q5)

As far as multiple Azure Subscriptions I would always use vnet peering inside Azure to link Subs. It's going to be cheaper than using an appliance. Now you could have more complex security requirements and at that point you need to identify your needs vis-a-vis the available solutions.

Regarding logging, you have the same logs you do for any meraki in the dashboard. I've never needed to refer to any azure logging beyond deployment errors and those were usually fat fingers, but others may be aware of something else.

Given the depth and breadth of your questions, I do strongly suggest working with your Meraki SE/Partner and discussing details of your actual environment. It sounds like you could have quite a complex setup and we can mostly answer in generalities.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.