Meraki

Community

vMX in Azure - Suitable alternative to Physical Appliance?

Solved
Simo
Conversationalist
‎Feb 1 2020 7:27 AM
‎Feb 1 2020 7:27 AM

vMX in Azure - Suitable alternative to Physical Appliance?

Hi All,

 

I have a customer which is.migrating servers into Azure and they are looking at virtual appliances to aggregate Vpns from their Cisco and Meraki spoke sites.

 

About Meraki locations, we are talking now about 150 sites that may grow up to 400 this year. Most of the sites have dual wan uplinks.

 

I read some documentation but I am still concerned the vMX could be a right and scalable solution.

 

HA - I understand HA is not supported 

 

Dynamic Routing - would like to have the vMX dynamically announcing to Azure the local subnets of the Autovpn spoke sites instead of adding static routes in Azure (is dynamic routing between vmx and Azure duable? )

 

 Scalability - considering number of spoke sites (500) with two wan links each, the total number of tunnels will be 1000. Is the vmx supporting such tunnel count? What will be the Max number of supported tunnels?

About throughput from datasheet I see should be 500M

 

Alternative is to consider HA pair of MX 450 in one armed mode to aggregate spoke site tunnels and then express route into Azure.

 

Can you please share your views and suggestion along with any ref to docs or guide?

 

I am very new to Azure world so I will appreciate your help

 

Many thanks

 

Simone 

 

 

 

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 2 2020 11:54 AM
‎Feb 2 2020 11:54 AM

Aaron Willette (a Meraki systems engineer) has done a great article about MX sizing (including VMX).

https://www.willette.works/meraki-mx-sizing/ 

 

He has found it can go up to 500 concurrent tunnels.  This being the case you would need to use a pair of them.

 

Aaron has also done a great article on running dual active/active MX head ends.

https://www.willette.works/active-active-meraki-sd-wan-headends/ 

 

>Dynamic Routing - would like to have the vMX dynamically announcing to Azure the local subnets of the Autovpn spoke sites instead of adding static routes in Azure (is dynamic routing between vmx and Azure duable? )

 

Azure does not allow dynamic routing to VMs hosted in Azure.  Ideally you would split your spoke address space and create two supernets.  Then you have have a single static route supernet to each vMX.

 

Also note (and I don't know why this is) a small number of times (in my experience) when you deploy a VMX into Azure you get permanent low level packet loss (5% is typical) over AutoVPN.  When this happens the only way to resolve it is to delete the VMX and re-deploy it.

So I have gotten into the habit of testing this as soon as possible after deploying a vMX.

It is also binary - you either have the problem or you don't.  If you have it - it never goes away.  If you don't have it then it always works perfectly.

 

 

Myself, I would run the AutoVPN connections directly to Azure and not bother with Express route.

For Amazon AWS deployments I wrote a script which lets a pair of VMX run in HA mode by manipulating the Amazon AWS route tables when a failure happens.

https://www.ifm.net.nz/cookbooks/meraki-ha-vmx-amazon-aws.html 

If you were keen you could probably write something similar to update the Azure routing table from the Meraki VMX routing table.

View solution in original post

5 Replies 5
cmr
Kind of a big deal
Kind of a big deal
‎Feb 1 2020 7:56 AM
‎Feb 1 2020 7:56 AM

From the name I would anticipate that it roughly mirrors the capabilities of the MX100 and that supports 250 tunnels at most.  I haven't personally used the vMX though so I may be wrong.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
Simo
Conversationalist
‎Feb 2 2020 10:41 AM
‎Feb 2 2020 10:41 AM

Thank you Crm

 

That is my feeling too.

Hope anyone has additional experience and suggestion to have a more concrete idea on how worthy is the vMX in this specific scenario

 

Thanks

 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 2 2020 11:54 AM
‎Feb 2 2020 11:54 AM

Aaron Willette (a Meraki systems engineer) has done a great article about MX sizing (including VMX).

https://www.willette.works/meraki-mx-sizing/ 

 

He has found it can go up to 500 concurrent tunnels.  This being the case you would need to use a pair of them.

 

Aaron has also done a great article on running dual active/active MX head ends.

https://www.willette.works/active-active-meraki-sd-wan-headends/ 

 

>Dynamic Routing - would like to have the vMX dynamically announcing to Azure the local subnets of the Autovpn spoke sites instead of adding static routes in Azure (is dynamic routing between vmx and Azure duable? )

 

Azure does not allow dynamic routing to VMs hosted in Azure.  Ideally you would split your spoke address space and create two supernets.  Then you have have a single static route supernet to each vMX.

 

Also note (and I don't know why this is) a small number of times (in my experience) when you deploy a VMX into Azure you get permanent low level packet loss (5% is typical) over AutoVPN.  When this happens the only way to resolve it is to delete the VMX and re-deploy it.

So I have gotten into the habit of testing this as soon as possible after deploying a vMX.

It is also binary - you either have the problem or you don't.  If you have it - it never goes away.  If you don't have it then it always works perfectly.

 

 

Myself, I would run the AutoVPN connections directly to Azure and not bother with Express route.

For Amazon AWS deployments I wrote a script which lets a pair of VMX run in HA mode by manipulating the Amazon AWS route tables when a failure happens.

https://www.ifm.net.nz/cookbooks/meraki-ha-vmx-amazon-aws.html 

If you were keen you could probably write something similar to update the Azure routing table from the Meraki VMX routing table.

In response to PhilipDAth
Col5and3rs
Conversationalist
‎Aug 12 2021 12:58 PM
‎Aug 12 2021 12:58 PM

Hello @PhilipDAth , I know this reply is like 1.5 years later but wanted to reach out.  I am having this same exact issue you describe below.

 

"Also note (and I don't know why this is) a small number of times (in my experience) when you deploy a VMX into Azure you get permanent low level packet loss (5% is typical) over AutoVPN.  When this happens the only way to resolve it is to delete the VMX and re-deploy it.

So I have gotten into the habit of testing this as soon as possible after deploying a vMX.

It is also binary - you either have the problem or you don't.  If you have it - it never goes away.  If you don't have it then it always works perfectly."

 

I currently have two vMX's in Azure.  One works perfectly with no issues since creation.  The second one I have not been able to get to work consistently.  I get anywhere between 5-12% packet loss and I have re-deployed this one in particular 7 times now with the same issue.  I've been fighting with it for about 5 months and finally got a straight answer from Meraki that it is a known issue when using a Route Table in Azure with a vMX.  But what's odd is my other vMX has a Route Table with no issues.

 

If you happen to have anymore insight as how to fix this issue, I would greatly appreciate it.

 

 

In response to Col5and3rs
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 12 2021 1:41 PM
‎Aug 12 2021 1:41 PM

I have no further insight into the issue.

 

I would doubt that it is a route table issue.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.