MX Site-to-Site VPN with BGP

cookiejc
Here to help

MX Site-to-Site VPN with BGP

Good Morning, my google skills are failing me and I cant find an answer to this.

 

I am looking to establish a site-to-site VPN from an MX to an Azure VPN gateway. We often do this without using a routing protocol but have hit a customer where automatic routes would come in handy

 

Does the MX series support using BGP in this scenario? I can see some documentation around BGP but cant see anything in the MX to turn this on

 

Thanks in advance 

9 REPLIES 9
KarstenI
Kind of a big deal
Kind of a big deal

When the MX runs in VPN-Concentrator-mode you can activate BGP to participate in dynamic routing. I am not really sure if this will integrate with external VPN-peers (don't think so), but if you place a vMX into Azure you should be able to do all your routing dynamically.

GreenMan
Meraki Employee
Meraki Employee

This isn't possible with non-Meraki VPN.   Did you consider using vMX in Azure instead?   This would allow all the SD-WAN features, in addition to BGP

cookiejc
Here to help

Thank you all for the responses. I have considered xMX but am a bit put off by the additional cost and complexity of configuring a HA vmx setup compared to the native solution of an Azure VPN. 

 

Happy to be persuaded otherwise tho if there is a valid argument there!

GreenMan
Meraki Employee
Meraki Employee

There are so many advantages to using VMX (and therefore AutoVPN) over non-Meraki VPN, that it's hard to know where to start.   The most important is likely to be in the resilience offered;   your MXs connect to both VMXs concurrently and you get far better failover capability - particularly if your branches also have dual WAN uplinks.   Given the importance of modern Azure deployments, it really costs in, for most customers.

cookiejc
Here to help

Thank you for this. I do understand the benefits and would like to try the VMx route although the failover capability within Azure does seem limited compared to an Azure VPN. I see that the approach is using Azure functions to change user defined routes for failover rather than something more dynamic

 

Cost is certainly the biggest factor. We are talking 2 x licenses for vMX plus the running cost of two virtual machines, disks etc, compared with deploying a gateway. It would be much preferable if a dynamic routing protocol was supported from the MX on a site-to-site VPN

 

Thanks for all the advice

 

 

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

If it is any consequence, I would say about 90% of my customers only deploy a single VMX into Azure.  It's a lot simpler, and the number of failure cases you are protecting against in a public cloud provider is a lot less than an on-premise setup.

Thanks! I think this is probably where we'll end up or stick with a VPN gateway and deal with the lack of dynamic routing

GreenMan
Meraki Employee
Meraki Employee

I have yes thanks that does look ideal! - Unfortunately, it adds another £280.00 a month on top of the stuff I mentioned before to make a Zone redundant HA solution based on vMX compared to a VPN gateway which has this built in.

 

vMX would be my preference but it doesn't look viable in this scenario. Appreciate all the advice

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels