Meraki

Pugmiester · ‎Aug 4 2021

Hi ww, That was my assumption and have logged a ticket before we risk swamping our smaller MX's I can see some BGP route sumarisation in the DC teams future.

Pugmiester · ‎Aug 4 2021

Hi all, We've recently connected one of our data centres to our existing Auto-VPN SD-WAN using MX250's and these are talking BGP to routers in the DC to pickup around 20 subnets from the data centre routers. The strange thing is, those routes are only visible on the local MX's in the data centres (as BGP routes). They are not visible in the route table on any of the other hub or spoke MX's that are part of the same Auto-VPN configuration but somehow the traffic still gets through. I'm investigating as we are looking to hook up 2 other data centres that will then also feed us around 650 routes for the rest of the global organisation and if we get all of those routes appearing in Auto-VPN it's going to swamp the MX64's we have in our smaller offices if they are still recieving all of those routes but just not making them visible on the dashboard.

Pugmiester · ‎Apr 27 2021

That's what I thought. I was kinda hoping I was wrong but, back to the drawing board.

Pugmiester · ‎Apr 27 2021

Hi all, Can someone help me wrap my head around this please? We're looking to implement firewall rule that would permit traffic to specific destinations, while continuing to block everything else. The challenge is the destinations are cloud services so tend to contain many changing IP addresses. Looking of the details in the document below, it suggests it's possible, but only if the MX sees the DNS request to match it up with the client connection. https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings What's not clear is if that DNS request must come from the client itself, rather than from an onsite DNS server that the client is talking to. Am I right in thinking this only works if the client machine is making the request to, for example Google DNS 8.8.8.8., so that the MX sees those requests and can match them directly back to the client IP then asking to get to sitexyz.com?

Pugmiester · ‎Mar 17 2021

No problem. It's usually me asking for help so it makes a change when I spot a question I might be able to answer before the experts beat me to it 🙂 "layer 8", I love that

Pugmiester · ‎Mar 16 2021

We have a similar setup with a single Azure subscription hosting a vMX with other subscriptions peered in. Apologise if I'm already talking about things you've done but we had 2 things we didn't spot when we started to move traffic over to this setup 1. Do you have a route table in VNET 2 pointing to the LAN IP of the vMX in VNET 1? Azure takes care of getting traffic between the VNET's but the route table gets traffic to anything outside Azure 2. Did you add the VNET 2 subnet as a local subnet on the vMX

Pugmiester · ‎Feb 25 2021

Hi all, just to confirm if anyone runs across this question in the future. Yes, you can switch the Auto-VPN to using BGP without having to immediately configure any external BGP peers. The Auto-VPN reconfigures itself and although Meraki support suggested there may be some outage time while that happened, with our 25 site mesh we didn't even drop a packet as far as I could tell.

Pugmiester · ‎Feb 11 2021

Hi, We've already spoken to Meraki support and they have activated the BGP options for us so we have the BGP settings available in the dashboard. We are planning to activate BGP on the dashboard so that the Auto-VPN can update for iBGP but at this time we do not have any eBGP peers available, the data centre team are still working on them. It's not clear from the documentation, if we have to enable BGP on the dashboard and at the same time make the peer connection to the data centre routers, but we are hoping that is not the case. We are hoping to just activate the iBGP options and let the Auto-VPN update and re-stabalise and then at a later date we add the peer to the DC router.

Pugmiester · ‎Feb 10 2021

Hi all, We're working to deploy a couple of MX's into regional data centres and will be using BGP to peer into the Auto-VPN. We've agreed an internal AS number to assign to the Meraki side but we don't have all of the data centre parts of the system in place yet. Are we able to still activate the BGP settings in the Auto-VPN so we can get the Meraki side of things updated to BGP and stable again (I understand the Auto-VPN will have to reconfigure itself internally) before we have to add in any BGP peers? I'm assuming we can, it's just not clear from the documentation

Pugmiester · ‎Jan 12 2021

Hi all, We're getting closer to what I hope will be a relatively simple task but I'm way out of my depth here so thought I would ask if the community has any advice on the subject. Essentially, we have an existing SD-WAN covering around 30 sites in Europe. The rest of our global organisation are using other technologies for regional connectivity and our top level idea is we deploy one (probably an HS pair) of our Meraki organisation MX's into each of the other regions, and have them peer locally using BGP to share routing between their local region and our MX so we have dynamic routing across the regions. The Meraki documentation is reasonably good but I've logged a support ticket to ask a few extra questions, mainly around timescales for activation and what interruption (if any) we are likely to see to our existing SD-WAN when we ask the support team to activate BGP. Does anyone have any experience of setting up BGP and if so any pitfalls we should look out for?

Pugmiester · ‎Sep 29 2020

I've had this on the back burner for a couple of weeks for one reason or another but am back at it today. Something I've noticed, and I don't remember seeing before, is that the vMX seems to be performing NAT on the traffic that passing between the subscriptions. A quick recap, our network in Azure looks a little like this - Sub A > Sub B < Sub C. A and C are VNET peered to B and each have a local route table for our SD-WAN subnets associated pointing to the LAN IP of the vMX in Sub B. Sub B hosts the vMX and is happily talking to our SD-WAN. It's also passing traffic from any client across the SD-WAN through SUB B and onto servers in Sub A or Sub C with no issues at all. Our problem lies in getting traffic between Sub A and Sub C. What I noticed today is that although I can ping from A to C, the packet capture on the vMX as well as the destination server (tcpdump) shows it being NAT'd and the source showing as the vMX LAN IP instead of the source server. The source server gets a reply so on the face of it connectivity seems to be working but if I hop up the stack with an HTTP connection, the same NAT appears to happen on the vMX and I even see a reply to the vMX LAN IP but then the vMX seems to have no idea what to do it it and the traffic never reaches the initial source machine. I didn't think a vMX in one armed concentrator mode (that's the only choice you get with a vMX in Azure) was supposed to perform NAT at all. It's really confusing.

Pugmiester · ‎Sep 10 2020

Having done a little more testing this morning, I can confirm that if I remove the user assigned route table from one of the peers, it's then only able to reach the internet or the hub subscription, thanks to the route put in place by Azure when the peering connection is brought up. Using the check box to allow "Configure gateway transit settings" make no difference to those routes. The last remaining peering option on the list is "Configure Remote Gateway settings" but that's greyed out because Azure doesn't believe the remote virtual network has a gateway. It seems the vMX isn't classified as a gateway. I'm still not sure if that would make a difference or not but I will continue to dig and Google.

Pugmiester · ‎Sep 10 2020

Hi Philip, thanks for the quick reply. We have indeed. Each of the Azure subnets we're making available over SD-WAN has an entry on the vMX and for traffic to/from any of our SD-WAN office locations, to/from any of the Azure subscriptions, we have end to end connectivity passing through the vMX and onto the relevant peered subscriptions. Where we seem to be getting stuck is passing traffic between 2 subs that are peered with the vMX Sub B. Each sub has a local route table attached to the relevant server subnet and these point to the LAN IP of the vMX as the next hop. The peering connection between the subs seems to make sure that connectivity is working. If I send traffic from Sub A to Sub C, the next hop leaving Sub A will be the vMX LAN IP and the vMX sees that traffic arrive in a packet capture but it never sees a response. The destination machine in Sub C (A linux box for simplicity, and tcpdump) never sees the packets arrive if they are coming from another Azure peered sub but has no issues if the source of traffic is from an SD-WAN connected location. But, you may have just sent me in a different direction... The Meraki Azure vMX setup guide has you creating a route table to attach to the vMX subnet but it doesn't mention having to do that anywhere else. I've assumed, up to this point, that I would have to add a route table individually to each peered subscription subnet but I now wonder if in fact all I need is to activate the gateway transit option and don't try to force traffic across the connection with an attached route table. OK, that's at least something I can test, I think, without breaking too many things. But I need another coffee first. Will report back as soon as I've updated things.

Pugmiester · ‎Sep 9 2020

Hi all, apologises for the rather large post but it's a complicated beast. We have a vMX up and running in Azure (following the Meraxi Azure vMX guide) and it's happily passing traffic from our physical SD-WAN boxes into and out of a number of Azure subscriptions peered to it but as we're migrating more services into Azure I've run across an issue that's frankly driving me bonkers. Our setup looks a bit like this :- Sub A <-- VNET Peering --> Sub B (The Hub, vMX lives here) <> SD-WAN to our on-premise locations Sub C <-- VNET Peering --> Sub B Sub D <-- VNET Peering --> Sub B etc... Our issue came to light as we started trying to access a service by passing through Sub B, for example a DNS server in Sub C. Traffic to or from the SD-WAN is no issue at all, but from Sub A or D the DNS traffic (or HTTP for a second simple test) goes to ground. Frustratingly, our trusted test tools ping and traceroute "just work"... Grrrr If I spin up a temporary Linux box with HTTP and DNS in SUB B, Sub A, C and D can all reach it as well as any location connected over SD-WAN. Looking at the Effective Route Table for a server in Sub A, it seems traffic that's using the "Default" peer route out of Sub A to Sub B is happy, but traffic that's using the "User" route table to get it to the vMX in Sub B seems to fail. The vMX see the traffic arrive in a local packet capture but then it never reaches the destination or sees any response which makes me think that maybe the vMX is getting in the way but for the life of me I can't see how. Of course the simple answer is just move the servers we need into Sub B but rebuilding our multi-layered ADFS setup in a new subscription (currently in a a Sub that's connected to our WAN using a very expensive ExpressRoute link we would like to kill) fills me with dread so I'd rather just peer it in but the DNS servers that also sit in that Sub are being relied on by the other Azure hosted subscriptions so everything dies when we do. "It's always DNS" after all. I spent an hour and a half on a call with MS support this morning getting packet captures which seem to have failed to catch the traffic in question so while I try to work out why, I thought I'd ask the awesome Meraki community to see if anything jumps out at anyone.

Pugmiester · ‎Aug 30 2020

Thanks @PhilipDAth, That's whati was hoping.

Pugmiester · ‎Aug 28 2020

Hi @PhilipDAth, We've just hit a roadblock trying to peer a couple of third party managed subscriptions to an existing subscription created especially for the purpose of being a hub running a vMX. The "experts" doing the work have just told use the setup they have build wont work and we have to build something they "think" is called a transit gateway. I'm more than a little frustrated after weeks of me Googling the answers for their "experts". But I digress. Would I be right in thinking that you can still deploy a vMX into a transit gateway account to be able to peer with the rest of our SD-WAN?

Pugmiester · ‎Jul 8 2020

One option you could look at, is using a secondary MX at your hub site (Main-MX location) to manage the ASA VPN link. That way, you can add a static route onto the Main-MX pointing to the VPN MX and that will allow you to publish the remote ASA subnets into SD-WAN. There's a great example walk through of this by Aaron Willette https://www.willette.works/merging-meraki-vpns/ We use this approach to bring in a couple of third party locations that need to reach services on site but are not part of our Meraki deployment.

Pugmiester · ‎Jul 6 2020

Thanks Philip, will take a look. I'm sure I'm just overthinking the problem. The eventual plan, once Meraki figure out the legal minefield, is to hook them up with a HA pair of MX's like every other site we have in EMEA but for the foreseeable future we cannot legally deploy any Meraki hardware to the country at all so we're stuck with whatever we can legally purchase in country, hoping it can support a reasonable security level, and try to connect that back to civilisation as best we can.

Pugmiester · ‎Jul 6 2020

It was the Azure side of things that I managed to get confused so just removing the vMX and redeploying worked for me.

Pugmiester · ‎Jun 22 2020

Hi all, We're almost at the end of our EU wide SD-WAN rollout (only around 30 sites but still...) and as I'm sure anyone who's ever done this will know, with Meraki "it just works" 🙂 We have a remaining office site that for current political reasons we can't deploy any Meraki hardware to site. We are looking at a simple third party VPN link (Probably using a locally sourced ASA) into a spare MX using the excellent reference article from Aaron Willette (https://www.willette.works/merging-meraki-vpns/) which we've already used to great success for an actual third party that needs access to an internal resource. I'm hoping to build a pair of 3rd party VPN links so we don't have a single point of failure but getting traffic flowing over the right VPN link seems like a challenge as each of the corporate LAN MX's would publish the same static route into the SD-WAN pointing to their local 3rd party MX. I have a vague recollection that it's possible to do some element of traffic steering using over the SD-WAN using the priority of the hub's that a spoke connects to but I don't think that's possible between hubs. Am I just overthinking the whole situation?

Pugmiester · ‎Jun 16 2020

I thought I would add one final update for anyone stumbling across this post in the future. There's a Meraki support document for the SD-WAN that clearly lists the ports needed for connections to both the dashboard and Auto-VPN peers. Somehow, all of my Googling never brought me to this page so I'm including the details plus the link below for future reference. Ports used to contact the VPN registry: Source UDP port range 32768-61000 Destination UDP port 9350 Ports used for IPsec tunneling: Source UDP port range 32768-61000 Destination UDP port range 32768-61000 https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN

Pugmiester · ‎Jun 12 2020

Hi @PhilipDAth, thanks for the sanity check. I'm still confused how it's ever worked without the allowed inbound traffic but I'm working on a change plan for the AWS guys to open up the inbound firewall rules.

Pugmiester · ‎Jun 10 2020

Hi all, We've had a vMX up and running in AWS since the middle of April but somewhere around the early hours of June 6th it dropped all of the SD-WAN links. It's not in PROD yet so we didn't pickup a monitoring alert. Anyway, we still have dashboard access and neither a vMX or AWS Instance restart has not shaken it back into life but something hit me while I'm trying to figure out what's going on. The AWS Security Group is built from the dashboard recommended firewall rules for the site as recommended in the AWS vMX setup guide, including all the usual suspects for dashboard access, you know all the funky UDP ports and the like, but that gives you no ports I would have thought needed for IPSec (4500, 500, etc). I kinda assumed the dashboard did uber magic and the fact it was working made me suspect that was the case but maybe the initial setup had less rules on SG and the connections were up before it closed off the doors. I know this is something that should make sense but I'm way down on my coffee supply this morning. Should we have more outbound/inbound rules in place the IPSec links that the SD-WAN needs to operate?

Pugmiester · ‎Apr 20 2020

That's the sort of answer I was hoping for 🙂 It seemed odd that it wouldn't be easier to build up an HA setup if it was really needed.

Pugmiester · ‎Apr 20 2020

Hi all, We're on the verge of moving some connections into production using the vMX in Azure / AWS but the lack of an HA configuration, such as what you can build with the physical hardware, makes me a little nervous. I've seen the scripted AWS failover system put together by @PhilipDAth but I was wondering what you're experiences have been like as far as reliability with a single appliance. Is the underlying infrastructure generally reliable enough to stick with a single vMX or would you recommend the extra layer of complexity of a second appliance and some sort of user built routing/failover in AWS and Azure (unsure even how yet)? Thanks all.

About Pugmiester

Pugmiester

Community Record

Badges