Meraki

Community

Vmx 100 routing

wdepauw
Comes here often
‎May 2 2018 5:54 AM
‎May 2 2018 5:54 AM

Vmx 100 routing

Hi,

 

I'm working on a design for a customer and they want to place 2* Vmx in AWS and terminate the VPN tunnels of +/-120 remote sites on these Vmx's.

=> The Vmx will be used as a hub

=> In the branches there will be small MX appliances working in NAT mode

 

Traffic from a spoke should follow the path:

 

-  Traffic from spoke will be encrypted in autovpn tunnel and routed to the highest priority Vmx. If the Vmx Hub would fail then it puts the traffic towards the 2nd Vmx Hub.

-  Traffic will be decrypted in the hub VMx and should be routed towards a connected (virtual) MPLS router

-  From the MPLS router it will be forwarded into the MPLS cloud to one of their DC's

 

 

I understood from the documentation that the Vmx can only work in VPN concentrator mode ( L2 bridging), and with this mode routing is disabled.

=> This means that the Vmx will not known about the routes behind the virtual MPLS router and I think he will drop the traffic.

 

In my (humble) opinion the Vmx is not made for this setup, in the VPN concentrator mode the Vmx can reach the local attached subnets but it can route traffic to another router.

 

 

Am I correct in this ? Or is there another solution with the Vmx ?

 

Another problem is that the return traffic should be able to reach the correct Vmx otherwise there is a risk that the traffic is routed over autovpn tunnel 1  ( with Vmx Hub1) and the return traffic from the DC will come on Vmx Hub2

 

=> I don't know how the Vmx will react on assymetric traffic.  Did anybody have a setup like this ?

 

 

gr

wim

 

 

0 Kudos
9 Replies 9
MRCUR
Kind of a big deal
‎May 2 2018 6:28 AM
‎May 2 2018 6:28 AM

The vMX cannot be used as an AutoVPN hub (this applies to AWS & Azure). See here: https://documentation.meraki.com/MX-Z/Installation_Guides/vMX100_Setup_Guide_for_Microsoft_Azure

MRCUR | CMNO #12
0 Kudos
In response to MRCUR
wdepauw
Comes here often
‎May 2 2018 7:29 AM
‎May 2 2018 7:29 AM

Hi,

 

Tx for the quick reply , in the vpn configuration you have the local networks which you can advertise. Is this like a cisco router where it needs to be available if you want to advertise it ?

 

I assume that you are pointing to this chapter in the documentation  ?

 

Full Tunnel  

In full tunnel mode all traffic that the branch or remote office does not have another route to is sent to a VPN hub.

Note: This is not supported for virtual MX VPN concentrators operating within Azure.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 2 2018 2:10 PM
‎May 2 2018 2:10 PM

The vMX in Amazon can be an auto VPN hub.

 

When using vMX, under "Security Appliance/VPN settings/Local networks" you define all the routes you want to be available (these will be published to the AutoVPN spokes).  This can include your MPLS routes.

Screenshot from 2018-05-03 09-08-33.png

 

Any traffic that the vMX receives is sent to its default gateway, which is the VPC router.  So as long as the VPC knows how to route to and from your MPLS circuit (and the MPLS circuit has return routes) you should be fine.

In response to PhilipDAth
MRCUR
Kind of a big deal
‎May 2 2018 2:14 PM
‎May 2 2018 2:14 PM

Good catch @PhilipDAth - I didn't notice the hub limitation was Azure only. 

MRCUR | CMNO #12
0 Kudos
In response to MRCUR
wdepauw
Comes here often
‎May 2 2018 11:39 PM
‎May 2 2018 11:39 PM

cloud setupHi,

Tx for the reply, I would put a FW in between the Vmx and VPC router so the Vmx is protected from the internet

=> In that case the default gateway would point to the FW 

=>  I would also enable OSPF on the Vmx . This would mean that the spoke routes are advertised to the MPLS router so the MPLS router knows how to reach the spoke sites.

 

 

 

0 Kudos
In response to wdepauw
wdepauw
Comes here often
‎May 2 2018 11:41 PM
‎May 2 2018 11:41 PM

pressed enter a little bit to quick 🙂 

I've added a drawing for clarification

 

tx

Wim

0 Kudos
In response to wdepauw
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 3 2018 12:04 AM
‎May 3 2018 12:04 AM

The vMX runs the MX code, just in Amazon AWS.  It is already a firewall.  It doesn't need any additional protection.

 

The MPLS circuit (aka AWS Direct Connection) links into the VPC routing.  So putting in a separate firewall for routing is going to create all manner of complications.

 

If you don't rely on the VPC for doing all the routing you are going to have a world of hurt.

0 Kudos
In response to PhilipDAth
wdepauw
Comes here often
‎May 3 2018 12:15 AM
‎May 3 2018 12:15 AM

ok  because I understood from the documentation that when you run the VPN concentrator mode you need to protect it  from the internet  because the FW functionality is not working.

Is it different then for  the VMx ?

 

 

Placing an MX appliance in Passthrough mode at the perimeter of your network with a publicly routable IP address is not recommended and can present security risks. As a best practice, Passthrough mode MX appliances should always be deployed behind an edge firewall.

 

=> since the spokes will connect over the internet towards the vmx hub I need a publicly routable IP address

 

gr

wim

0 Kudos
In response to wdepauw
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 3 2018 12:18 AM
‎May 3 2018 12:18 AM

When running either an MX or vMX in concentrator mode you need something to perform NAT to the internal network where the MX/vMX is sitting.  This is typically another firewall.  The firewall is not their to protect the MX/vMX.

 

MX's on MPLS tails using AutoVPN over MPLS need to have the same public IP address as the concentrator where the MPLS circuit access the Internet.  A firewall provides this.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.