MX Hub routing

J_Donegan
Just browsing

MX Hub routing

Hello,

 

When I initially introduced the Meraki MX, we had 1 MX100 hub, which has a number of static routes and local networks terminated to it.

The device is connected to our Coe switch and has access to our primary DC and things like that. All traffic flows out via an internal Sophos firewall and then onto a managed firewall for external traffic.

All of our branch sites need to get back here to learn the routes to get to our Azure-based LAN services.

 

In the meantime, we have introduced two new Meraki vMX hubs in our Azure environment, and these have been setup on a brand new Azure Landing Zone and will replace the MX100. The three hubs can communicate with each other using BGP and can see each other in their respective route tables.

 

The issue I have is that when I remove the static routes from the MX100 hub, it causes the branch sites to lose connectivity to Azure services and also to our primary domain controller, which is located on the same site as the MX100.

 

Is there a way of decoupling the MX100 from the schema without causing connectivity issues with existing services?

I will provide some screenshots of the existing setup.

 

Existing Original Hub with static Routes to allow outside connectivity via internal Firewall

J_Donegan_0-1720518840868.jpeg

 

 

MX 100 local networks

J_Donegan_1-1720519817448.png

 

These are the vMX hubs and their BGP settings.

 

J_Donegan_2-1720520502912.jpeg

 

J_Donegan_3-1720520544276.jpeg

 

 

7 Replies 7
GreenMan
Meraki Employee
Meraki Employee

There's not a lot of info to go on here, but I'm suspicious of the static nature of the existing routing.   At the point of migration, are you making appropriate changes in Azure to ensure the remote subnets are pointed towards the VMXs?   Presumably you're using the Azure Route Server as the upstream eBGP peer for those VMXs ..?

J_Donegan
Just browsing

The goal is to remove the MX100 so there is no visibility of it. At the moment its using iBGP to communicate with the vMX hubs. There is this option to change the mode on the MX100 from routed to passthrough or vpn concentrator

J_Donegan_0-1720527373243.png

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Have you configured the branch sites to use the VMXs as their hubs as well?

J_Donegan
Just browsing

All sites are using the Hubs ,but when you check the VPN status of the branch the MX100 is still showing up - probably because of iBGP.

 

J_Donegan_1-1720527552372.pngJ_Donegan_2-1720527614661.png

 

 

GreenMan
Meraki Employee
Meraki Employee

If the spokes are not configured to use the MX100 as a hub, they won't (continue to) form a tunnel to that Hub - it will take some time for the Dashboard UI to reflect that though.

J_Donegan
Just browsing

The change was made over an hour ago. II will keep any eye.

GreenMan
Meraki Employee
Meraki Employee

A quick pcap for packets between the MXs will reveal whether anything active is happening, by way of tunnelling

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels