Meraki

Community

Meraki vMX: Switching from VPN Concentrator to Routed Mode

Solved
MauroF
Building a reputation
3 weeks ago
3 weeks ago

Meraki vMX: Switching from VPN Concentrator to Routed Mode

Hello,

I have a vMX (in VPN Concentrator mode) acting as the HUB on Azure, with multiple sites configured as spokes (a classic HUB-SPOKE Meraki SD-WAN architecture).

 

I’m considering switching the vMX to Routed mode so that traffic from my Azure services would exit through the vMX instead of Azure by default.

 

I’d like to clarify a few points. Among the main ones:

 

1. If I switch the vMX to Routed mode, will my spoke sites traffic become full-tunnel or will it remain split-tunnel for internet-bound traffic?

 

Mick

2.  Is NAT performed by the vMX applied on the WAN or on the LAN interface?

 

3. With this change, will clients in my spoke sites still be able to communicate seamlessly with my Azure servers, or could NAT introduce issues?

 

Any advice would be appreciated.

Thanks.

Labels:
0 Kudos
1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

1- Switching the vMX to Routed mode does not automatically change spoke site traffic to full-tunnel. The tunnel behavior (full vs. split) is determined by the Site-to-Site VPN configuration on each spoke MX. If the spokes are configured for split-tunnel, internet-bound traffic will continue to exit locally at the spoke.

 

If you want Azure services to route outbound traffic through the vMX, Routed mode allows you to define default routes (0.0.0.0/0) on the vMX, which can be advertised to spokes if desired. This could make the vMX act as an internet exit hub, but only if the spokes are configured to use it as such.

 

2- In Routed mode, NAT is performed on the WAN interface. The MX will NAT outbound traffic from LAN subnets to the WAN IP when no specific route exists for the destination. This is typical behavior for internet-bound traffic.


3- Yes, spoke clients can still communicate with Azure servers, but there are some considerations:

  • Auto VPN routes between spokes and the vMX will still function normally.

  • NAT on the vMX could affect return traffic if Azure services are expecting traffic from the original source IP but receive it from the vMX’s NATed IP instead.

  • If Azure services are sensitive to source IPs (e.g., for firewall rules or logging), you may need to adjust those configurations to account for NAT behavior.


To avoid issues, ensure static routes and firewall rules are correctly configured and consider using private IPs and bypass NAT where possible for internal Azure communication.

 

MX Routing Behavior - Cisco Meraki Documentation

VPN Concentrator Deployment Guide - Cisco Meraki Documentation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

1- Switching the vMX to Routed mode does not automatically change spoke site traffic to full-tunnel. The tunnel behavior (full vs. split) is determined by the Site-to-Site VPN configuration on each spoke MX. If the spokes are configured for split-tunnel, internet-bound traffic will continue to exit locally at the spoke.

 

If you want Azure services to route outbound traffic through the vMX, Routed mode allows you to define default routes (0.0.0.0/0) on the vMX, which can be advertised to spokes if desired. This could make the vMX act as an internet exit hub, but only if the spokes are configured to use it as such.

 

2- In Routed mode, NAT is performed on the WAN interface. The MX will NAT outbound traffic from LAN subnets to the WAN IP when no specific route exists for the destination. This is typical behavior for internet-bound traffic.


3- Yes, spoke clients can still communicate with Azure servers, but there are some considerations:

  • Auto VPN routes between spokes and the vMX will still function normally.

  • NAT on the vMX could affect return traffic if Azure services are expecting traffic from the original source IP but receive it from the vMX’s NATed IP instead.

  • If Azure services are sensitive to source IPs (e.g., for firewall rules or logging), you may need to adjust those configurations to account for NAT behavior.


To avoid issues, ensure static routes and firewall rules are correctly configured and consider using private IPs and bypass NAT where possible for internal Azure communication.

 

MX Routing Behavior - Cisco Meraki Documentation

VPN Concentrator Deployment Guide - Cisco Meraki Documentation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
MauroF
Building a reputation
3 weeks ago
3 weeks ago

Thanks for your time to answer.Really helpful. 

Just one clarification: i can leave all my spokes in split-tunnel (enabling the vlans on vpn) without problem,correct?

0 Kudos
In response to MauroF
alemabrahao
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

Yes, you can do this without any problem.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

I haven't tried this in quite a while - but you used to have to delete and redpeloy the VMX to change the mode.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.