Two vMX appliances in Azure - two BGP peers with Azure Route Server

Solved
cvwordragen
Here to help

Two vMX appliances in Azure - two BGP peers with Azure Route Server

Does anyone have experience with Active/Active BGP Peering for two vMX devices in Azure?

I am able to create one BGP peer between an Azure Route Server and one vMX.
But not two BGP peers for active/active and redundancy.

Short description:
vMX1 <-> peer1 <-> Azure Route Server (ARS)
vMX2 <-> peer2 <-> Azure Route Server (ARS)

The problem I'm running into.
The Azure Route Server has a /27 subnet, for example 10.0.0.0/27
In order for routing from Meraki SD-WAN to succeed, this prefix must be added as a local prefix on both vMX devices.
And so the SD-WAN/AutoVPN recognizes two routes to the same IP prefix, but only one is used.
In the Azure VM at virtual interface, Effective Routes, there is only one route to one of the vMX devices.
But there should be two in the routing table to work as ECMP (Equal Cost Multipath)

1 Accepted Solution
MartinLL
Getting noticed

Coming in late here, but hopefully this will be of help to someone who reads this in 2023 🙂

I'm not sure why you are only looking at the AzureRouteServer subnet prefix. For eBGP to work, this does indeed need to be added as a local prefix on both devices. But other than that, it is only used for eBGP messaging between the vMX and Azure route server (ARS).

 

Meraki vMX appends its own BGP AS number to routes it learns from auto-vpn sites based on the hub priority configuration on the spokes. Both prefixes are advertised to ARS, but only the best one is used. This is the default eBGP behavior, and ARS does not allow you to change it.

The way I do it for my larger deployments is to create two templates, one where VMX1 has the higher priority and another where VMX2 has the higher priority, then load balance between the two templates. If you start doing this, you will see multiple prefixes with different next-hops in Azure.

 

As for routes learned by the VMX from ARS, the eBGP route learned from ARS is always preferred by each VMX, meaning that if traffic arrives on VMX2, it will go directly to Azure and not through VMX1. Only if you delete the eBGP peering from VMX2 to ARS will the traffic start flowing through VMX1 due to the Azure routes being learned via IBGP.

View solution in original post

3 Replies 3
Inderdeep
Kind of a big deal
Kind of a big deal

@cvwordragen : Check this thread 

https://community.meraki.com/t5/Security-SD-WAN/BGP-in-my-Azure-Data-Center/m-p/139692#M35282 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
MartinLL
Getting noticed

Coming in late here, but hopefully this will be of help to someone who reads this in 2023 🙂

I'm not sure why you are only looking at the AzureRouteServer subnet prefix. For eBGP to work, this does indeed need to be added as a local prefix on both devices. But other than that, it is only used for eBGP messaging between the vMX and Azure route server (ARS).

 

Meraki vMX appends its own BGP AS number to routes it learns from auto-vpn sites based on the hub priority configuration on the spokes. Both prefixes are advertised to ARS, but only the best one is used. This is the default eBGP behavior, and ARS does not allow you to change it.

The way I do it for my larger deployments is to create two templates, one where VMX1 has the higher priority and another where VMX2 has the higher priority, then load balance between the two templates. If you start doing this, you will see multiple prefixes with different next-hops in Azure.

 

As for routes learned by the VMX from ARS, the eBGP route learned from ARS is always preferred by each VMX, meaning that if traffic arrives on VMX2, it will go directly to Azure and not through VMX1. Only if you delete the eBGP peering from VMX2 to ARS will the traffic start flowing through VMX1 due to the Azure routes being learned via IBGP.

cvwordragen
Here to help

As an alternative, I have been using the Azure Virtual Hub with BGP Peering lately. The Virtual Hub behaves more predictably.

Get notified when there are additional replies to this discussion.