Does anyone have experience with Active/Active BGP Peering for two vMX devices in Azure?
I am able to create one BGP peer between an Azure Route Server and one vMX.
But not two BGP peers for active/active and redundancy.
Short description:
vMX1 <-> peer1 <-> Azure Route Server (ARS)
vMX2 <-> peer2 <-> Azure Route Server (ARS)
The problem I'm running into.
The Azure Route Server has a /27 subnet, for example 10.0.0.0/27
In order for routing from Meraki SD-WAN to succeed, this prefix must be added as a local prefix on both vMX devices.
And so the SD-WAN/AutoVPN recognizes two routes to the same IP prefix, but only one is used.
In the Azure VM at virtual interface, Effective Routes, there is only one route to one of the vMX devices.
But there should be two in the routing table to work as ECMP (Equal Cost Multipath)
Solved! Go to solution.
Coming in late here, but hopefully this will be of help to someone who reads this in 2023 🙂
I'm not sure why you are only looking at the AzureRouteServer subnet prefix. For eBGP to work, this does indeed need to be added as a local prefix on both devices. But other than that, it is only used for eBGP messaging between the vMX and Azure route server (ARS).
Meraki vMX appends its own BGP AS number to routes it learns from auto-vpn sites based on the hub priority configuration on the spokes. Both prefixes are advertised to ARS, but only the best one is used. This is the default eBGP behavior, and ARS does not allow you to change it.
The way I do it for my larger deployments is to create two templates, one where VMX1 has the higher priority and another where VMX2 has the higher priority, then load balance between the two templates. If you start doing this, you will see multiple prefixes with different next-hops in Azure.
As for routes learned by the VMX from ARS, the eBGP route learned from ARS is always preferred by each VMX, meaning that if traffic arrives on VMX2, it will go directly to Azure and not through VMX1. Only if you delete the eBGP peering from VMX2 to ARS will the traffic start flowing through VMX1 due to the Azure routes being learned via IBGP.
@cvwordragen : Check this thread
https://community.meraki.com/t5/Security-SD-WAN/BGP-in-my-Azure-Data-Center/m-p/139692#M35282
Coming in late here, but hopefully this will be of help to someone who reads this in 2023 🙂
I'm not sure why you are only looking at the AzureRouteServer subnet prefix. For eBGP to work, this does indeed need to be added as a local prefix on both devices. But other than that, it is only used for eBGP messaging between the vMX and Azure route server (ARS).
Meraki vMX appends its own BGP AS number to routes it learns from auto-vpn sites based on the hub priority configuration on the spokes. Both prefixes are advertised to ARS, but only the best one is used. This is the default eBGP behavior, and ARS does not allow you to change it.
The way I do it for my larger deployments is to create two templates, one where VMX1 has the higher priority and another where VMX2 has the higher priority, then load balance between the two templates. If you start doing this, you will see multiple prefixes with different next-hops in Azure.
As for routes learned by the VMX from ARS, the eBGP route learned from ARS is always preferred by each VMX, meaning that if traffic arrives on VMX2, it will go directly to Azure and not through VMX1. Only if you delete the eBGP peering from VMX2 to ARS will the traffic start flowing through VMX1 due to the Azure routes being learned via IBGP.
As an alternative, I have been using the Azure Virtual Hub with BGP Peering lately. The Virtual Hub behaves more predictably.