Azure vMX Configuration Considerations

Solved
dkins
Comes here often

Azure vMX Configuration Considerations

Hi, we have a client with 50 sites with an mx67 at each site in routed mode. There are two vMX-M appliances located in their Azure hub, configured in VPN concentrator Mode, sitting behind firewall NVAs in the Azure hub.

 

The vMX-M appliances are the Hub and the 50 sites are configured as spokes. All servers are located in Azure so considered as the Data Center in the design. AutoVPN is configured and sites do not full tunnel to allow for local break-out at the 50 sites.

 

Now, if we introduce Secure Connect, I understand all site traffic now routes via Secure Connect.

 

What happens at the current Hub in the design above?

 

  1. Will we have to change anything on the vMX-M appliances?
  2. Do the vMX have to change to Routed mode?
  3. Will the vMX appliances now be seen as a spoke?
  4. What sort of latency will be introduced on top of the current latency seen in the AutoVPN config?
  5. Does the Essentials licensing allow for traffic steering at the remote sites? For example, to exclude certain traffic from being routed via Secure Connect? (Meraki licensing is Advanced Security)

 

Thanks in-advance.

 

 

 

1 Accepted Solution
Gary_Geihsler1
Meraki Employee
Meraki Employee

Correction to myself, we do not need the vMX in routed mode. There are some routing considerations on the upstream gateway in order to use the vMX in passthrough mode. 

View solution in original post

9 Replies 9
PhilipDAth
Kind of a big deal
Kind of a big deal

>I understand all site traffic now routes via Secure Connect.

 

If you are talking about Meraki AnyConnect support using the SecureConnect client, you can you use split tunnel mode, so only traffic for Azure network (and branches if you like) will go over the VPN.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance 

(you can search for "split" in the above page).

 

>Will we have to change anything on the vMX-M appliances?

You'll need to configure AnyConnect, and make sure TCP and UDP 443 are forwarded to the VMX.

 

>Do the vMX have to change to Routed mode?

No.

 

>Will the vMX appliances now be seen as a spoke?

Not really.

 

>What sort of latency will be introduced on top of the current latency seen in the AutoVPN config?

Pretty much nothing.

 

>Does the Essentials licensing
I would normally use AnyConnect APEX licences.  A sample ordering code is L-AC-APX-3Y-S1.  This is for a 3 year licence.  I usually use 3Y or 5Y to match the Meraki licences, so everything comes up for renewal at the same time.

dkins
Comes here often

Thanks for your response. Sorry, no, I'm not referring to AnyConnect.

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

I am not 100% sure of these answers in this scenario.

 

  1. Will we have to change anything on the vMX-M appliances?  No.  They are already hubs and will automatically form AutoVPN connections to the virtual Cisco+ SecureConnect Hubs.
  2. Do the vMX have to change to Routed mode?  No.
  3. Will the vMX appliances now be seen as a spoke?  No.  It will remain as a hub, and traffic for subnets behind it will go directly to it.  Cisco+ SecureConnect shows up as additional AutoVPN hubs.
  4. What sort of latency will be introduced on top of the current latency seen in the AutoVPN config?  Don't know.
  5. Does the Essentials licensing allow for traffic steering at the remote sites? For example, to exclude certain traffic from being routed via Secure Connect? (Meraki licensing is Advanced Security)  Don't know.
dkins
Comes here often

ok, thanks for your input...I'll run a trial and see how it pans out.

Gary_Geihsler1
Meraki Employee
Meraki Employee

  1. Will we have to change anything on the vMX-M appliances? Currently all Meraki sites connected to Secure Connect will be configured as spokes with Secure Connect seen as a hub. Hub to hub connectivity to Secure Connect will come in the future. 
  2. Do the vMX have to change to Routed mode? Yes
  3. Will the vMX appliances now be seen as a spoke? Yes
  4. What sort of latency will be introduced on top of the current latency seen in the AutoVPN config? If you are asking about site to site connectivity there will be some latency added. We are introducing another hop and a policy evaluation. The latency added will depend on multiple factors, there is no stated number.
  5. Does the Essentials licensing allow for traffic steering at the remote sites? For example, to exclude certain traffic from being routed via Secure Connect? (Meraki licensing is Advanced Security) Secure Connect is not dependent on a specific MX license. VPN exclusion rules can be done for IP/CIDR for any MX license and application based VPN exclusion rules require the SD-WAN Plus license.
Bucket
Getting noticed

Hi Gary. 

This documentation states you can set the umbrella “mx” as an exit hub. Is this not possible when doing secure connect? I thought it was essentially the same. 

https://documentation.meraki.com/MX/Meraki_Umbrella_SDWAN_Connector/Deployment_Guide

 

why does the VMX need to be in routed mode?

dkins
Comes here often

Hi Gary,

 

I'm also curious to understand why the vMX needs to be in Routed Mode..

Gary_Geihsler1
Meraki Employee
Meraki Employee

Correction to myself, we do not need the vMX in routed mode. There are some routing considerations on the upstream gateway in order to use the vMX in passthrough mode. 

brianpmcp
Here to help

Hi Gary,

 

Could the VMX in passthrough mode still use BGP to propogate Azure routes?

Get notified when there are additional replies to this discussion.