vMX on Azure - Config Help Required

Solved
fredle
Just browsing

vMX on Azure - Config Help Required

Hi,

 

In Azure, I have my vmx-subnet 10.64.4.0/24 and my internal subnet 10.64.1.0/24

 

The vmx is on 10.64.4.4.

 

What should the 'Single LAN' Interface Address be? I don't understand how I can set an interface address inside an Azure subnet. 

 

Thanks,

 

1 Accepted Solution
rhbirkelund
Kind of a big deal
Kind of a big deal

When the vMX has been provisioned to Azure, and come online, it should pull an address on its LAN interface. Usually it will only be in VPN Concentrator mode. NAT mode should only be used in certain specific scenarios.

After pulling an address (usually .4 in your vmx subnet), you need to setup a routetable in Azure, to route back and forth between the vMX and other ressources in Azure.

 

The VPN settings shown in your first screenshot refer to those vnets you have configured in Azure. these are then announced into the AutoVPN topology, and thus known to your spokes/hubs across AutoVPN.

 

Assuming you used 172.16.0.0/12 at your spokes and 10.0.0.0/8 in Azure for whatever cloud servers, you'd usually enter 10.0.0.0/8 in the VPN settings on the vMX. Then this entire /8 will be announced to all your spoke sites that are using 172.16.0.0/12. In turn, the spokes will have 10.0.0.0/8 in their routetable showing the vMX as the next.hop for this subnet.

 

In Azure, you'd add 172.16.0.0/12 to the routetable with the vMX IP address as nexthop. In your case that would be 10.64.4.4. This is done for your servers in Azure to have a return route back to your spokes, via the vMX. The vMX will have 172.16.0.0/12 in its routetable, due to the spokes participating in AutoVPN.

 

When creating the Azure Routetable, make sure to attach it to your Meraki vMX Ressource Group. Also when deploying the vMX make sure you use the Standard SKU for Public IP addressing to the vMX.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

View solution in original post

6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal

If the vMX is on 10.64.4.4, the ‘Single LAN’ Interface Address should be an IP address within your internal subnet (10.64.1.0/24). This is because the vMX is configured with a single Ethernet connection to the upstream network, and all traffic will be sent and received on this interface.

 

Refer the documentation.

 

vMX Setup Guide for Microsoft Azure - Cisco Meraki Documentation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
fredle
Just browsing

Hi, sorry I don't understand this. the device isn't attached to the internal subnet. Do I just choose an IP from the internal subnet?

alemabrahao
Kind of a big deal
Kind of a big deal

https://www.youtube.com/watch?v=Prp9HrBjG14

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
fredle
Just browsing

Thanks, I had followed a couple of tutorials and they all showed that you should add local networks here, but didn't require an interface address. This makes sense as I want to explicitly state which networks are advertised through the VPN.

fredle_1-1711131356294.png

 

however I can define a network in Addressing and VLANs and add it in the VPN Settings, but I am required to specify an interface address for the network. which doesn't make sense as that interface wouldn't be attached to the subnet.

 

fredle_2-1711131573551.png

 

 

fredle_0-1711131284994.png

 

rhbirkelund
Kind of a big deal
Kind of a big deal

When the vMX has been provisioned to Azure, and come online, it should pull an address on its LAN interface. Usually it will only be in VPN Concentrator mode. NAT mode should only be used in certain specific scenarios.

After pulling an address (usually .4 in your vmx subnet), you need to setup a routetable in Azure, to route back and forth between the vMX and other ressources in Azure.

 

The VPN settings shown in your first screenshot refer to those vnets you have configured in Azure. these are then announced into the AutoVPN topology, and thus known to your spokes/hubs across AutoVPN.

 

Assuming you used 172.16.0.0/12 at your spokes and 10.0.0.0/8 in Azure for whatever cloud servers, you'd usually enter 10.0.0.0/8 in the VPN settings on the vMX. Then this entire /8 will be announced to all your spoke sites that are using 172.16.0.0/12. In turn, the spokes will have 10.0.0.0/8 in their routetable showing the vMX as the next.hop for this subnet.

 

In Azure, you'd add 172.16.0.0/12 to the routetable with the vMX IP address as nexthop. In your case that would be 10.64.4.4. This is done for your servers in Azure to have a return route back to your spokes, via the vMX. The vMX will have 172.16.0.0/12 in its routetable, due to the spokes participating in AutoVPN.

 

When creating the Azure Routetable, make sure to attach it to your Meraki vMX Ressource Group. Also when deploying the vMX make sure you use the Standard SKU for Public IP addressing to the vMX.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
fredle
Just browsing

Sorry for the radio silence

OK, so I have put it into VPN Concentrator mode and that seems to have worked. Many thanks for the help. 

Get notified when there are additional replies to this discussion.