Meraki

Community

MX Site-to-Site VPN with BGP

cookiejc
Here to help
‎Nov 21 2022 3:25 AM
‎Nov 21 2022 3:25 AM

MX Site-to-Site VPN with BGP

Good Morning, my google skills are failing me and I cant find an answer to this.

 

I am looking to establish a site-to-site VPN from an MX to an Azure VPN gateway. We often do this without using a routing protocol but have hit a customer where automatic routes would come in handy

 

Does the MX series support using BGP in this scenario? I can see some documentation around BGP but cant see anything in the MX to turn this on

 

Thanks in advance 

Labels:
0 Kudos
9 Replies 9
KarstenI
Kind of a big deal
Kind of a big deal
‎Nov 21 2022 3:57 AM
‎Nov 21 2022 3:57 AM

When the MX runs in VPN-Concentrator-mode you can activate BGP to participate in dynamic routing. I am not really sure if this will integrate with external VPN-peers (don't think so), but if you place a vMX into Azure you should be able to do all your routing dynamically.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
GreenMan
Meraki Employee
Meraki Employee
‎Nov 21 2022 4:16 AM
‎Nov 21 2022 4:16 AM

This isn't possible with non-Meraki VPN.   Did you consider using vMX in Azure instead?   This would allow all the SD-WAN features, in addition to BGP

cookiejc
Here to help
‎Nov 21 2022 4:27 AM
‎Nov 21 2022 4:27 AM

Thank you all for the responses. I have considered xMX but am a bit put off by the additional cost and complexity of configuring a HA vmx setup compared to the native solution of an Azure VPN. 

 

Happy to be persuaded otherwise tho if there is a valid argument there!

GreenMan
Meraki Employee
Meraki Employee
‎Nov 21 2022 4:40 AM
‎Nov 21 2022 4:40 AM

There are so many advantages to using VMX (and therefore AutoVPN) over non-Meraki VPN, that it's hard to know where to start.   The most important is likely to be in the resilience offered;   your MXs connect to both VMXs concurrently and you get far better failover capability - particularly if your branches also have dual WAN uplinks.   Given the importance of modern Azure deployments, it really costs in, for most customers.

cookiejc
Here to help
‎Nov 21 2022 4:48 AM
‎Nov 21 2022 4:48 AM

Thank you for this. I do understand the benefits and would like to try the VMx route although the failover capability within Azure does seem limited compared to an Azure VPN. I see that the approach is using Azure functions to change user defined routes for failover rather than something more dynamic

 

Cost is certainly the biggest factor. We are talking 2 x licenses for vMX plus the running cost of two virtual machines, disks etc, compared with deploying a gateway. It would be much preferable if a dynamic routing protocol was supported from the MX on a site-to-site VPN

 

Thanks for all the advice

 

 

 

 

0 Kudos
In response to cookiejc
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 21 2022 10:17 AM
‎Nov 21 2022 10:17 AM

If it is any consequence, I would say about 90% of my customers only deploy a single VMX into Azure.  It's a lot simpler, and the number of failure cases you are protecting against in a public cloud provider is a lot less than an on-premise setup.

In response to PhilipDAth
cookiejc
Here to help
‎Nov 22 2022 1:02 AM
‎Nov 22 2022 1:02 AM

Thanks! I think this is probably where we'll end up or stick with a VPN gateway and deal with the lack of dynamic routing

0 Kudos
GreenMan
Meraki Employee
Meraki Employee
‎Nov 21 2022 4:49 AM
‎Nov 21 2022 4:49 AM

Did you see this?   https://documentation.meraki.com/MX/Deployment_Guides/vMX_and_Azure_Route_Server

In response to GreenMan
cookiejc
Here to help
‎Nov 22 2022 1:04 AM
‎Nov 22 2022 1:04 AM

I have yes thanks that does look ideal! - Unfortunately, it adds another £280.00 a month on top of the stuff I mentioned before to make a Zone redundant HA solution based on vMX compared to a VPN gateway which has this built in.

 

vMX would be my preference but it doesn't look viable in this scenario. Appreciate all the advice

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.