Hi, we have a client with 50 sites with an mx67 at each site in routed mode. There are two vMX-M appliances located in their Azure hub, configured in VPN concentrator Mode, sitting behind firewall NVAs in the Azure hub.
The vMX-M appliances are the Hub and the 50 sites are configured as spokes. All servers are located in Azure so considered as the Data Center in the design. AutoVPN is configured and sites do not full tunnel to allow for local break-out at the 50 sites.
Now, if we introduce Secure Connect, I understand all site traffic now routes via Secure Connect.
What happens at the current Hub in the design above?
Thanks in-advance.
Solved! Go to solution.
Correction to myself, we do not need the vMX in routed mode. There are some routing considerations on the upstream gateway in order to use the vMX in passthrough mode.
>I understand all site traffic now routes via Secure Connect.
If you are talking about Meraki AnyConnect support using the SecureConnect client, you can you use split tunnel mode, so only traffic for Azure network (and branches if you like) will go over the VPN.
https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance
(you can search for "split" in the above page).
>Will we have to change anything on the vMX-M appliances?
You'll need to configure AnyConnect, and make sure TCP and UDP 443 are forwarded to the VMX.
>Do the vMX have to change to Routed mode?
No.
>Will the vMX appliances now be seen as a spoke?
Not really.
>What sort of latency will be introduced on top of the current latency seen in the AutoVPN config?
Pretty much nothing.
>Does the Essentials licensing
I would normally use AnyConnect APEX licences. A sample ordering code is L-AC-APX-3Y-S1. This is for a 3 year licence. I usually use 3Y or 5Y to match the Meraki licences, so everything comes up for renewal at the same time.
Thanks for your response. Sorry, no, I'm not referring to AnyConnect.
I am not 100% sure of these answers in this scenario.
ok, thanks for your input...I'll run a trial and see how it pans out.
Hi Gary.
This documentation states you can set the umbrella “mx” as an exit hub. Is this not possible when doing secure connect? I thought it was essentially the same.
https://documentation.meraki.com/MX/Meraki_Umbrella_SDWAN_Connector/Deployment_Guide
why does the VMX need to be in routed mode?
Hi Gary,
I'm also curious to understand why the vMX needs to be in Routed Mode..
Correction to myself, we do not need the vMX in routed mode. There are some routing considerations on the upstream gateway in order to use the vMX in passthrough mode.
Hi Gary,
Could the VMX in passthrough mode still use BGP to propogate Azure routes?