vMX - NAT mode and DHCP

thomasthomsen
Head in the Cloud

vMX - NAT mode and DHCP

So reading in the vMX Setup guide I see NAT mode.

What is this, in relation to NAT mode on a normal MX ?

Is it only for NAT'ing over the VPN ?

 

The second question I have, how do I change the MX from Onearmed to NAT ?

The Setup guide says this is possible, with a restart, it just omits how.

 

Regarding DHCP.

If in NAT mode, can I then have a DHCP server running for subsites on this thing ?

Like if I wanted a central DHCP server (in Azure), I know this is not, in any way optimal, or probably advised, but I really want to know 🙂

 

Thanks 🙂

/Thomas

12 REPLIES 12
DarrenOC
Kind of a big deal
Kind of a big deal

Hi @thomasthomsen 

 

NAT mode will translate your internal address space and present the source/Public IP to the internet.

 

To change from one-armed concentrator to NAT go to Security & SD-WAN > Configure > Addressing & VLAN's

 

Select Routed Mode

 

UCcert_0-1623422190664.png

 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

Yes yes ... that works all very well and fine on a normal MX.

But a vMX ?

Not so much it appears.

As you can see, there is no Addressing & VLANs page.

thomasthomsen_0-1623424447505.png

 

So either my vMX has a bug, or this is why its not specified in the documentation 🙂

 

@thomasthomsen : hope you all covered this 

Inderdeep_0-1623424842575.png

 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com

I started here : https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Setup_Guide_for_Microsoft_Azure

 

From this document:

Concentrator Mode 

All MXs can be configured in either NAT or VPN concentrator mode. There are important considerations for both modes. If needed, refer to the article on concentrator modes for more detailed information.

One-Armed Concentrator 

In this mode, the MX is configured with a single Ethernet connection to the upstream network. All traffic will be sent and received on this interface. This is the only supported configuration for MX appliances serving as VPN termination points into Azure Cloud.

NAT Mode Concentrator 

In this mode, the MX is configured with a single Ethernet connection to the upstream network and one Ethernet connection to the downstream network. VPN traffic is received and sent on the WAN interfaces connecting the MX to the upstream network and the decrypted, unencapsulated traffic is sent and received on the LAN interface that connects the MX to the downstream network. 

 

Note: A limited NAT mode capability can be enabled on the vMX in which traffic from the spokes will be NATed to the vMX's IP as it egresses the vMX in to your datacenter.  Other capabilities of the NAT mode including DHCP, HA or multiple ports (LAN and WAN) are not supported.  In each mode the vMX is still a one-armed appliance with one network interface

 

If you wish to change the concentrator mode after the vMX deployment, you must restart the instance for the changes to be applied. Please choose the desired concentrator mode before the vMX deployment.

 

The document does not tell how you change this mode. - It just says you have to restart the instance ?

So will it magically just change mode if I restart it ? - I highly doubt that 🙂

I think this might be the critical bit.

 

"Please choose the desired concentrator mode before the vMX deployment."

Yeah but why do they also write this then.

 

"If you wish to change the concentrator mode after the vMX deployment, you must restart the instance for the changes to be applied."

 

Lets just say: "Instructions unclear ....."

sorry @thomasthomsen - I didn't see the vmx element!

 

That sentence sums it up "In each mode the vMX is still a one-armed appliance with one network interface".  I only ever run these in concentrator mode.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

No problem, but I really wanted to test out the "other mode".

Because I want to know what it does, and what extra things I can get out of it.

But the problem is that there does not seem to be a way to convert it (even though the documentation says so).

What happens if you create the network as an appliance only, configure NAT mode, and then add the vMX?

 

Or maybe use a template?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

I might imagine this is a Support Enabled operation as well though..
LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

My thoughts as well (at this point), but the instructions are not good, can we all agree on that ? 🙂

Yes, I agree on that, Instructions are not that clear. However, I got NAT mode enabled for vMX by calling support team. They said, that is the only way for now.  

Get notified when there are additional replies to this discussion.