I'm working on a design for a customer and they want to place 2* Vmx in AWS and terminate the VPN tunnels of +/-120 remote sites on these Vmx's.
=> The Vmx will be used as a hub
=> In the branches there will be small MX appliances working in NAT mode
Traffic from a spoke should follow the path:
- Traffic from spoke will be encrypted in autovpn tunnel and routed to the highest priority Vmx. If the Vmx Hub would fail then it puts the traffic towards the 2nd Vmx Hub.
- Traffic will be decrypted in the hub VMx and should be routed towards a connected (virtual) MPLS router
- From the MPLS router it will be forwarded into the MPLS cloud to one of their DC's
I understood from the documentation that the Vmx can only work in VPN concentrator mode ( L2 bridging), and with this mode routing is disabled.
=> This means that the Vmx will not known about the routes behind the virtual MPLS router and I think he will drop the traffic.
In my (humble) opinion the Vmx is not made for this setup, in the VPN concentrator mode the Vmx can reach the local attached subnets but it can route traffic to another router.
Am I correct in this ? Or is there another solution with the Vmx ?
Another problem is that the return traffic should be able to reach the correct Vmx otherwise there is a risk that the traffic is routed over autovpn tunnel 1 ( with Vmx Hub1) and the return traffic from the DC will come on Vmx Hub2
=> I don't know how the Vmx will react on assymetric traffic. Did anybody have a setup like this ?
The vMX cannot be used as an AutoVPN hub (this applies to AWS & Azure). See here: https://documentation.meraki.com/MX-Z/Installation_Guides/vMX100_Setup_Guide_for_Microsoft_Azure
Tx for the quick reply , in the vpn configuration you have the local networks which you can advertise. Is this like a cisco router where it needs to be available if you want to advertise it ?
I assume that you are pointing to this chapter in the documentation ?
In full tunnel mode all traffic that the branch or remote office does not have another route to is sent to a VPN hub.
Note: This is not supported for virtual MX VPN concentrators operating within Azure.
The vMX in Amazon can be an auto VPN hub.
When using vMX, under "Security Appliance/VPN settings/Local networks" you define all the routes you want to be available (these will be published to the AutoVPN spokes). This can include your MPLS routes.
Any traffic that the vMX receives is sent to its default gateway, which is the VPC router. So as long as the VPC knows how to route to and from your MPLS circuit (and the MPLS circuit has return routes) you should be fine.
Good catch @PhilipDAth - I didn't notice the hub limitation was Azure only.
Tx for the reply, I would put a FW in between the Vmx and VPC router so the Vmx is protected from the internet
=> In that case the default gateway would point to the FW
=> I would also enable OSPF on the Vmx . This would mean that the spoke routes are advertised to the MPLS router so the MPLS router knows how to reach the spoke sites.
pressed enter a little bit to quick 🙂
I've added a drawing for clarification
The vMX runs the MX code, just in Amazon AWS. It is already a firewall. It doesn't need any additional protection.
The MPLS circuit (aka AWS Direct Connection) links into the VPC routing. So putting in a separate firewall for routing is going to create all manner of complications.
If you don't rely on the VPC for doing all the routing you are going to have a world of hurt.
ok because I understood from the documentation that when you run the VPN concentrator mode you need to protect it from the internet because the FW functionality is not working.
Is it different then for the VMx ?
Placing an MX appliance in Passthrough mode at the perimeter of your network with a publicly routable IP address is not recommended and can present security risks. As a best practice, Passthrough mode MX appliances should always be deployed behind an edge firewall.
=> since the spokes will connect over the internet towards the vmx hub I need a publicly routable IP address
When running either an MX or vMX in concentrator mode you need something to perform NAT to the internal network where the MX/vMX is sitting. This is typically another firewall. The firewall is not their to protect the MX/vMX.
MX's on MPLS tails using AutoVPN over MPLS need to have the same public IP address as the concentrator where the MPLS circuit access the Internet. A firewall provides this.