Meraki

Community

vMX on Azure - Config Help Required

Solved
fredle
Just browsing
‎Mar 22 2024 9:45 AM
‎Mar 22 2024 9:45 AM

vMX on Azure - Config Help Required

Hi,

 

In Azure, I have my vmx-subnet 10.64.4.0/24 and my internal subnet 10.64.1.0/24

 

The vmx is on 10.64.4.4.

 

What should the 'Single LAN' Interface Address be? I don't understand how I can set an interface address inside an Azure subnet. 

 

Thanks,

 

0 Kudos
1 Accepted Solution
In response to fredle
rhbirkelund
Kind of a big deal
Kind of a big deal
‎Mar 22 2024 12:40 PM
‎Mar 22 2024 12:40 PM

When the vMX has been provisioned to Azure, and come online, it should pull an address on its LAN interface. Usually it will only be in VPN Concentrator mode. NAT mode should only be used in certain specific scenarios.

After pulling an address (usually .4 in your vmx subnet), you need to setup a routetable in Azure, to route back and forth between the vMX and other ressources in Azure.

 

The VPN settings shown in your first screenshot refer to those vnets you have configured in Azure. these are then announced into the AutoVPN topology, and thus known to your spokes/hubs across AutoVPN.

 

Assuming you used 172.16.0.0/12 at your spokes and 10.0.0.0/8 in Azure for whatever cloud servers, you'd usually enter 10.0.0.0/8 in the VPN settings on the vMX. Then this entire /8 will be announced to all your spoke sites that are using 172.16.0.0/12. In turn, the spokes will have 10.0.0.0/8 in their routetable showing the vMX as the next.hop for this subnet.

 

In Azure, you'd add 172.16.0.0/12 to the routetable with the vMX IP address as nexthop. In your case that would be 10.64.4.4. This is done for your servers in Azure to have a return route back to your spokes, via the vMX. The vMX will have 172.16.0.0/12 in its routetable, due to the spokes participating in AutoVPN.

 

When creating the Azure Routetable, make sure to attach it to your Meraki vMX Ressource Group. Also when deploying the vMX make sure you use the Standard SKU for Public IP addressing to the vMX.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

View solution in original post

6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 22 2024 10:43 AM
‎Mar 22 2024 10:43 AM

If the vMX is on 10.64.4.4, the ‘Single LAN’ Interface Address should be an IP address within your internal subnet (10.64.1.0/24). This is because the vMX is configured with a single Ethernet connection to the upstream network, and all traffic will be sent and received on this interface.

 

Refer the documentation.

 

vMX Setup Guide for Microsoft Azure - Cisco Meraki Documentation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
fredle
Just browsing
‎Mar 22 2024 10:47 AM
‎Mar 22 2024 10:47 AM

Hi, sorry I don't understand this. the device isn't attached to the internal subnet. Do I just choose an IP from the internal subnet?

0 Kudos
In response to fredle
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 22 2024 10:51 AM
‎Mar 22 2024 10:51 AM

https://www.youtube.com/watch?v=Prp9HrBjG14

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
fredle
Just browsing
‎Mar 22 2024 11:20 AM
‎Mar 22 2024 11:20 AM

Thanks, I had followed a couple of tutorials and they all showed that you should add local networks here, but didn't require an interface address. This makes sense as I want to explicitly state which networks are advertised through the VPN.

fredle_1-1711131356294.png

 

however I can define a network in Addressing and VLANs and add it in the VPN Settings, but I am required to specify an interface address for the network. which doesn't make sense as that interface wouldn't be attached to the subnet.

 

fredle_2-1711131573551.png

 

 

fredle_0-1711131284994.png

 

0 Kudos
In response to fredle
rhbirkelund
Kind of a big deal
Kind of a big deal
‎Mar 22 2024 12:40 PM
‎Mar 22 2024 12:40 PM

When the vMX has been provisioned to Azure, and come online, it should pull an address on its LAN interface. Usually it will only be in VPN Concentrator mode. NAT mode should only be used in certain specific scenarios.

After pulling an address (usually .4 in your vmx subnet), you need to setup a routetable in Azure, to route back and forth between the vMX and other ressources in Azure.

 

The VPN settings shown in your first screenshot refer to those vnets you have configured in Azure. these are then announced into the AutoVPN topology, and thus known to your spokes/hubs across AutoVPN.

 

Assuming you used 172.16.0.0/12 at your spokes and 10.0.0.0/8 in Azure for whatever cloud servers, you'd usually enter 10.0.0.0/8 in the VPN settings on the vMX. Then this entire /8 will be announced to all your spoke sites that are using 172.16.0.0/12. In turn, the spokes will have 10.0.0.0/8 in their routetable showing the vMX as the next.hop for this subnet.

 

In Azure, you'd add 172.16.0.0/12 to the routetable with the vMX IP address as nexthop. In your case that would be 10.64.4.4. This is done for your servers in Azure to have a return route back to your spokes, via the vMX. The vMX will have 172.16.0.0/12 in its routetable, due to the spokes participating in AutoVPN.

 

When creating the Azure Routetable, make sure to attach it to your Meraki vMX Ressource Group. Also when deploying the vMX make sure you use the Standard SKU for Public IP addressing to the vMX.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
In response to rhbirkelund
fredle
Just browsing
‎Apr 12 2024 7:09 AM
‎Apr 12 2024 7:09 AM

Sorry for the radio silence

OK, so I have put it into VPN Concentrator mode and that seems to have worked. Many thanks for the help. 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.