PSA: New vMX Nat Mode

Getting noticed

PSA: New vMX Nat Mode

If you deploy vMXs you should probably read this:


I stumbled upon it checking out the MX new features info. Not sure I like this being the default as it can make troubleshooting more difficult.

This is listed as being only in 18.103 and later in the feature guide, but the more detailed article above doesn't make that distinction.

Building a reputation



Previously, I have enabled NAT Mode [Routed Mode / NAT Mode Concentrator / Limited NAT mode] on Meraki vMX for verification purposes,
but the configuration methods and constraints are complex.


* Originally, NAT Mode could not be selected without requesting support.


* Redundancy is limited in NAT Mode because it cannot be a DC-DC Failover topology.


* Since address translation is performed in NAT Mode, the Public Cloud side cannot connect to the Branch side.
  This is because the Uplink of vMX is equivalent to WAN1 due to NAT Mode.
  The behavior is similar to the general inability to connect from a WAN (Untrust) to a LAN (Trust).


* LAN side settings are special.

  LAN setting: Single LAN
  MX IP: MX's IP Address
  Subnet: Subnet to which vMX belongs


  CAUTION: Communication to the specified subnet will be unavailable.
                    Therefore, vMX should belong to a dedicated subnet for each instance.
                    Because of this characteristics, either VPN mode setting is acceptable.


  A reboot is required for the settings to take effect.


* The Full Tunnel (IPv4 default route) setting is required because the VPN mode setting is practically meaningless.


Kind of a big deal

@Mloraditch , this firmware is still beta, I did some tests and this version has several instabilities. I recommend not installing it yet.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.