I want to migrate a Cisco DMVPN network to a Meraki MX SD-WAN network. DMVPN main hubs are at a Service Provider Data Center, which in turn, provides an Express Route connection to an Azure private cloud where all services are located.
I would like to build an vMX VNET at the Azure Cloud and use BGP to route to other VNETs (workload). This way I will remove the Service provider dependency.
Any advise, comments, suggestions on the diffificulties of implemnting this type of network. Any thing in particular I need to pay attention to?
Before deploying the VMX create a dedicated subnet to put it into. Or, worst case, absolutely do not put it into a subnet that servers are located in which users will need access to. If you break this rule you can experience low levels of intermittent packet loss.
When deploying, the instructions say to select an availability zone - don't do this. Select none. If you select an available zone you get "Standard IP SKU" which blocks all inbound access. This reduces the reliability and functionality of the VMX (for example you can't enable AnyConnect, and increases the time for some AutoVPN failure cases to recover)
Configure a manual NAT traversal using a specific port, say udp/10000. Make sure you allow this port in using the Azure network security group. Doing this allows the system to recover from AutoVPN failures much quicker.
The default configuration deploys the VMX in NAT mode now (bad change Meraki ...). Once deployed you can't change this without deleting the VMX and re-deploying. So before deploying change the VMX mode back to VPN concentrator mode.
PhilipDAth. Thank you for your comments. So, basically the vMX Sjould remain as VPN Concentrator, right? How about the Firewalling? I would need a FW inf front of the vMX. Or if this is only Auto-VPN tunnels, could I get by without a firewall?