VPN subnet translation with an Azure vMX

SOLVED
StuartClarke
Conversationalist

VPN subnet translation with an Azure vMX

I am loooking to link up a customer who has a number of unconnected sites with clashing/overlapping IP ranges. I am aware that if I deploy an MX to each site I can use VPN subnet translation to deal with the IP clashes. I would also like to start moving the company's servers in Azure but I have read that VPN subnet translation doesn't work with non-Meraki VPN peers, so I was wondering about deploying a Meraki vMX in their Azure tenant to get around this.

 

Does anybody know if VPN subnet translation is suppported on the vMX? Could I then use this to connect all their sites and the Azure 'site' together in a full mesh? 

1 ACCEPTED SOLUTION
StuartClarke
Conversationalist

I raised it with Meraki support yesterday and they confirmed that the vMX does support subnet translation. 

View solution in original post

11 REPLIES 11
alemabrahao
Kind of a big deal
Kind of a big deal

Probably yes, but I recommend you to read this article first:

 

https://documentation.meraki.com/Architectures_and_Best_Practices/Auto_VPN_Hub_Deployment_Recommenda...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Just remember that you have to contact the support to enable this feature.

 

alemabrahao_0-1666785228645.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
GreenMan
Meraki Employee
Meraki Employee

f I remember rightly, the translation happens entirely at the Spoke (the physical MX) - so the Hub in Azure or wherever is unaware of the original subnets.  You won't be able to translate the subnets in use in Azure out to the Spokes

alemabrahao
Kind of a big deal
Kind of a big deal

@StuartClarke, I just confirmed It with Meraki support and they confirmed that It is possible to enable it on vMX.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
StuartClarke
Conversationalist

I raised it with Meraki support yesterday and they confirmed that the vMX does support subnet translation. 

I told you 😅

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Indeed you did but only after I'd already raised a ticket myself. Actually, now you mention it, I'm not sure why you would raise a ticket to ask my qustion??! 

Just to confirm the information, because I don't have a vMX. Good lucky. 😉

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
GreenMan
Meraki Employee
Meraki Employee

Just tested this in my lab and was somewhat surprised to confirm you can indeed configure VPN subnet translation.   I guess my main question would be - why would you want to?   A VMX is almost always going to be an AutoVPN Hub in VPN Concentrator mode, so you would be translating some or all of your local Azure subnets, but you would be translating to the same alternative subnet, for all of your AutoVPN Spokes.  Why wouldn't you just get your native IP addressing harmonious for all your Spokes in the first place?

Yes, thanks, but my question was not about translating the Azure subnets, it was whether the VPN links from an Azure based vMX would honour the subnet translations on the local LANs.

As to why you would want to do this, I totally agree that sorting out the IP addresses on all sites to be unique would be the best solution, but unfortunately I live in the M&A world where time and budget constraints dont always allow us to sort the IP addresses out when merging a number of companies together. This technique would get us over the initial merger period and then we can sort the IP addressing out properly once the dust has settled.

The translation function only applies to the locally controlled subnets for the MX you're configuring it on;  enabling it on the VMX only allows you to translate the subnets within the Azure environment.   If you're looking to translate one/some of the subnets used at the Spokes, you configure it on the Spoke MX once and it's the translated subnet that gets known elsewhere within the AutoVPN.   You can't translate for some/all of the Spoke subnets at the Azure VMX Hub.

Get notified when there are additional replies to this discussion.