FYI - As of 3/19/2021: All MXs can be configured in either NAT or VPN concentrator mode. There are important considerations for both modes. If needed, refer to the article on concentrator modes for more detailed information.
Hi @Casey, thanks for your comment. Please note that in vMX100, you might be able to configure NAT, however, Meraki is sun-sitting vMX100 and replacing it with vMX-S, vMX-M and vMX-L (in some cloud platforms) and in those ones, you won't be able to configure the vMX in NAT. You won't find this option anymore as of now. That might change in the future.
Hi Fady. Just wondering if you can comment on the use of a dedicated RG in your video. I am aware you need another RG due to the one created being locked, but could it not be an existing one? Also if you had an existing hub/spoke vNet topology, is there any reason to create a dedicated vNet for vMX vs using the existing hub or other vNet? THANKS!
Hi. You can use any RG you have apart from the one automatically built when you deploy the vMX because as you said, it will be locked. In terms of vNET, you will need a new one for the vMX to be able to control the routing otherwise the built in one again will be locked and you won't be able to peer it. If you already have existing vNET in place, you can use it for sure. I tried to isolate the deployment in my video as much as possible so it can match more use cases. Hope that helps, if you have more questions, please don't hesitate to let me know.
Hi Fady, Does your comment to Casey means, we should start to plan, for move to vMXSmall from current vMX100. This video is exceptional. Can we use the Azure firewall instead of Cisco CSR router.What is the advice? What are the disadvantage of leaving vMX , is the tunnel not secure ? what functionality we gain by adding a Azure firewall.
Hi Arjunbeer, vMX100 will be supported till 2027 as per announced by the end of life note from Meraki - meraki.cisco.com/lib/pdf/eol/meraki_eol_vmx100.pdf vMX is not acting as a firewall, its main job is to concentrate the tunnels from the remote MXs. Hence, you will need to consider a stateful firewall in front of the vMX, it doesn't need to be Cisco ASA, it can be any firewall (including Azure Firewall). The use case in the video is to help to perform full tunnel to Azure and exit out to the internet from there. Please let me know if you have any questions.
Hi Fady your recommendation is to use a vASA and not a router for NAT and routing. I assume the same static routes and peering between the vNets applies in this scenario to force ALL traffic to egress from the vMX_RG to the "ASA__RG" via the vASA outside interface? Are there any other caveats to consider when using the vASA instead of the CSR 1000V? Specifically, should I place my vm's in the vMX_RG or in the ASA_RG?
Hi Erie, your assumption is right and the vASA will do the exact same function as the CSR1000V. No caveats out there.. You can use vMX_RG is just a name so you can use it or change it to ASA_RG.
Is there an option to route the traffic towards internet directly from the VMX ? from the remote MX over full tunnel ? if this is not achievable, please help with explaining why not ?
It can be achieved now by using NAT feature on the vMX so remote subnets of your MXs can be NAT-ted with vMX IP which is known within your Azure environment.
Azure networking is a blur for me but your video clarified a few things already. I'm curious if you use the vMX with BGP enabled can you have your spoke subnets automatically populated in that routing table? How about if you're using two Azure regions for high availability?
Hi Joey, thanks for your question. We can use BGP to inject the routes instead of using static for sure, but please note that we still need a router to perform NAT as Azure won't perform the NAT for non-VPC subnets. In terms of High Availability, you will need to consider Azure Route Server and some scripting for the failover. Here is great info about the deployment githubmemory.com/repo/MitchellGulledge/Azure_Route_Server_Meraki_vMX
I am implementing v-MX behind FW. question is i have DNAT option, so if i take your scenario with azure fW, it means ip address of vMX and destination will be branch office public IP address? i get only DNAT option in firewall.
Hi Tariq, one thing to note, Azure might not allow you to DNAT the remote subnets from the branches as they are not defined as Azure VNET, hence I am having this Cisco virtual router to NAT the branch subnets.
Hi Fady, just seen the video and its great. After seeing this i was curious to know, if similar scenario works to authenticate Meraki wireless users using Azure AD through VPN tunnel. Can we achieve this?
Hi Ravi, My colleague Yuji has written really fantastic blog about the use case of using LDAP directly with AP using the local Auth feature, please check the blog post here. apicli.com/2021/12/13/meraki-mr-802-1x-with-azure-active-directory/
Hi Glenn, thanks for your kindness. Meraki has different license tiers for vMX (Depends on the size of the deployment). vMX-S / vMX-M / vMX-L (Currently not available in Azure). Below link has the specs to choose which license is suitable for your project. meraki.cisco.com/product-collateral/mx-family-datasheet/?file
Hello great video I have a question. Previously you stated the csr1kv is needed for Nat, but I have the VMX as my edge device and its working properly. Since you made your video do you think changes have been implemented? I see on my VMX under vpn status i'm showing a NAT translation.
![[Watch Party] RoV Pro League 2024 Winter | with Moowan ( Bacon Time Vs Talon )](http://i.ytimg.com/vi/CCEDhu6dPN8/mqdefault.jpg)
![ถามตรงๆ กับ อาจตุพร ทำไม ประเทศไทย ใครเป็นนายก ก็โดนด่า พอออกเเล้วคนคิดถึง!!?? l [Nickynachat]](http://i.ytimg.com/vi/3YFLMXxBGAs/mqdefault.jpg)
Great presentation. Used to working on physical devices. I see the power of Virtual Networking definitely the future.
Thanks Robert, I am also coming from the same background. I feel the right balance between Physical and virtual appliances is the winner.
Worth mentioning the token lasts 1hr once generated so if you have a 2 party config and a delay happens using the token it will expire.
FYI - As of 3/19/2021: All MXs can be configured in either NAT or VPN concentrator mode. There are important considerations for both modes. If needed, refer to the article on concentrator modes for more detailed information.
Hi @Casey, thanks for your comment. Please note that in vMX100, you might be able to configure NAT, however, Meraki is sun-sitting vMX100 and replacing it with vMX-S, vMX-M and vMX-L (in some cloud platforms) and in those ones, you won't be able to configure the vMX in NAT. You won't find this option anymore as of now. That might change in the future.
Hi Fady. Just wondering if you can comment on the use of a dedicated RG in your video. I am aware you need another RG due to the one created being locked, but could it not be an existing one? Also if you had an existing hub/spoke vNet topology, is there any reason to create a dedicated vNet for vMX vs using the existing hub or other vNet? THANKS!
Hi.
You can use any RG you have apart from the one automatically built when you deploy the vMX because as you said, it will be locked.
In terms of vNET, you will need a new one for the vMX to be able to control the routing otherwise the built in one again will be locked and you won't be able to peer it. If you already have existing vNET in place, you can use it for sure. I tried to isolate the deployment in my video as much as possible so it can match more use cases. Hope that helps, if you have more questions, please don't hesitate to let me know.
If your meraki managed application gets deleted in Azure do you have remove the appliance from meraki and then start the process over again?
No, you just need the token either the old one or generate a new one from the Meraki dashboard -vMX and attach it to the new application in Azure.
Hi Fady, Does your comment to Casey means, we should start to plan, for move to vMXSmall from current vMX100. This video is exceptional. Can we use the Azure firewall instead of Cisco CSR router.What is the advice? What are the disadvantage of leaving vMX , is the tunnel not secure ? what functionality we gain by adding a Azure firewall.
Hi Arjunbeer, vMX100 will be supported till 2027 as per announced by the end of life note from Meraki - meraki.cisco.com/lib/pdf/eol/meraki_eol_vmx100.pdf
vMX is not acting as a firewall, its main job is to concentrate the tunnels from the remote MXs. Hence, you will need to consider a stateful firewall in front of the vMX, it doesn't need to be Cisco ASA, it can be any firewall (including Azure Firewall).
The use case in the video is to help to perform full tunnel to Azure and exit out to the internet from there.
Please let me know if you have any questions.
Hi Fady your recommendation is to use a vASA and not a router for NAT and routing. I assume the same static routes and peering between the vNets applies in this scenario to force ALL traffic to egress from the vMX_RG to the "ASA__RG" via the vASA outside interface? Are there any other caveats to consider when using the vASA instead of the CSR 1000V? Specifically, should I place my vm's in the vMX_RG or in the ASA_RG?
Hi Erie, your assumption is right and the vASA will do the exact same function as the CSR1000V. No caveats out there.. You can use vMX_RG is just a name so you can use it or change it to ASA_RG.
Is there an option to route the traffic towards internet directly from the VMX ? from the remote MX over full tunnel ? if this is not achievable, please help with explaining why not ?
It can be achieved now by using NAT feature on the vMX so remote subnets of your MXs can be NAT-ted with vMX IP which is known within your Azure environment.
Azure networking is a blur for me but your video clarified a few things already. I'm curious if you use the vMX with BGP enabled can you have your spoke subnets automatically populated in that routing table? How about if you're using two Azure regions for high availability?
Hi Joey, thanks for your question. We can use BGP to inject the routes instead of using static for sure, but please note that we still need a router to perform NAT as Azure won't perform the NAT for non-VPC subnets.
In terms of High Availability, you will need to consider Azure Route Server and some scripting for the failover. Here is great info about the deployment
githubmemory.com/repo/MitchellGulledge/Azure_Route_Server_Meraki_vMX
I am implementing v-MX behind FW. question is i have DNAT option, so if i take your scenario with azure fW, it means ip address of vMX and destination will be branch office public IP address? i get only DNAT option in firewall.
Hi Tariq, one thing to note, Azure might not allow you to DNAT the remote subnets from the branches as they are not defined as Azure VNET, hence I am having this Cisco virtual router to NAT the branch subnets.
Hi Fady, just seen the video and its great. After seeing this i was curious to know, if similar scenario works to authenticate Meraki wireless users using Azure AD through VPN tunnel. Can we achieve this?
Hi Ravi, My colleague Yuji has written really fantastic blog about the use case of using LDAP directly with AP using the local Auth feature, please check the blog post here.
apicli.com/2021/12/13/meraki-mr-802-1x-with-azure-active-directory/
@@FadyNETDecorators i will go through. Thanks for quick response.
Fady, nice video, question how is licensing handled in a vMX?
Hi Glenn, thanks for your kindness.
Meraki has different license tiers for vMX (Depends on the size of the deployment). vMX-S / vMX-M / vMX-L (Currently not available in Azure). Below link has the specs to choose which license is suitable for your project.
meraki.cisco.com/product-collateral/mx-family-datasheet/?file
Hello great video I have a question. Previously you stated the csr1kv is needed for Nat, but I have the VMX as my edge device and its working properly. Since you made your video do you think changes have been implemented? I see on my VMX under vpn status i'm showing a NAT translation.
Hi Diego, do you have the vMX in AWS or Azure?
I got to the step of "sh ip nat trans" and I have 0 translations...what does that mean?
Nevermind, I figured out my IP scheme on default was not 10.1.1.0 but 10.0.1.0.
oh great, let me know if you have any questions.