Skip to main content
Cisco Meraki Documentation

vMX Setup Guide for Cisco UCM Cloud (UCMC)


For further details on setting up your private instance of UCMC, please refer to UCM Cloud Help.

This document helps qualified Cisco UCM Cloud partners who have completed integration to the UCM Cloud platform. Partners can establish processes and procedures to onboard customers to the UCM Cloud platform.

  • Use the document and supporting material to:
  • Understand customer onboarding phases
  • Understand Cisco and partner responsibilities
  • Turn up service for a fully integrated customer private instance

The audience for this document is product managers, operations personnel, support organizations, sales specialists, and partner/customer success organizations.

UCMC Customer Onboarding Phases

Activation of a private instance in UCM Cloud for the customer occurs in three distinct phases. Cisco and the partner have varied responsibilities during different stages of customer onboarding. It’s expected that the partner is fully integrated into UCM Cloud prior to onboarding a customer.

Before customer onboarding can start, the partner must complete peering and integration with Cisco UCM Cloud. This includes onboarding to the customer support process. For further details, refer to Cisco UCM Cloud Partner Onboarding Guide.


UCMC Reference Architectures

Meraki SD-WAN Deployment for HCS with MPLS.png

Example of Meraki SD-WAN deployment for a Cisco HCS customer with MPLS on headquarters.


Meraki SD-WAN deployment for HCS without MPLS.png

Example of Meraki SD-WAN deployment for a Cisco HCS customer without MPLS on headquarters.

For further details on setting up your private instance of UCM, please refer to UCM Cloud Help.


Meraki vMX Setup

The rest of this document is a walk-through for setting up a virtual MX (vMX) appliance in your Meraki dashboard for deployment to Cisco's UCM Cloud (UCMC) platform. After completing the steps outlined in this document, you will have a virtual MX appliance running in UCMC that serves as an Auto VPN termination point to your physical MX devices.

Currently, vMX on UCMC supports a one-armed concentrator configuration with split-tunnel hub-and-spoke VPN architecture. For more information on how to deploy a one-armed concentrator, please refer to the One-Armed VPN Concentrator Deployment Guide

Key Concepts

Concentrator Mode 

All MXs can be configured in either NAT or VPN concentrator mode. There are important considerations for both modes. Refer to our article for more detailed information on concentrator modes.

Note: NAT mode is not supported for virtual MX VPN concentrators operating within UCMC, as we rely on BGP peering from the vMX to the UCMC data center for routing to your UCMC-hosted call manager platform.

VPN Topology 

Split Tunnel 

In this configuration, branches will only send traffic across the VPN if it is destined for a specific subnet that is being advertised by another MX in the same dashboard organization. The remaining traffic will be checked against other available routes, such as static LAN and third-party VPN, and if not matched will be NATed and sent out the branch MX unencrypted.

This is the recommended and supported tunneling mechanism to reach UCMC, as only VOIP and call-setup traffic should route to UCMC. All other internet-bound traffic should not route to UCMC and will instead route direct to internet or via other hubs that may be connected to your branch.

Full Tunnel  

Note: Full Tunnel is not supported for vMX VPN concentrators operating within UCMC.

Meraki Dashboard Configuration

Begin by creating a new Security Appliance network in your organization. If needed, refer to the guide for creating a new network in the Meraki dashboard.

The Meraki dashboard will require a vMX license to be added before you are able to continue. If you do not have access to a vMX license, please reach out to your Meraki reseller or sales rep.

Create a Security Appliance network

Screen Shot 2020-11-30 at 3.34.43 PM.png

Once you have created the network and added the appropriate license you will be able to deploy a new vMX to your network by clicking on the respective 'Add vMX' button as seen below. 

The "Add vMX" button will deploy a vMX100 node (not supported in UCMC) and the remaining buttons will deploy a vMX node of the type specified. 

The below buttons (or a subset thereof) will only show up if vMX licenses of that type are added/available in the org:

Screen Shot 2020-11-30 at 3.37.47 PM.png

After you add the new vMX to your network, navigate to Security & SD-WAN > Monitor > Appliance status and select “Generate Authentication Token” to generate the token needed by the UCMC team in order to instantiate a vMX VM for this node.

Screen Shot 2020-11-30 at 3.42.03 PM.png

Copy the newly generated token and provide it to the UCMC team when requested.

The authentication token must be provided to the UCMC team and the vMX instance instantiated within one hour of generating it, otherwise a new token must be generated. 

Screen Shot 2020-11-30 at 3.43.42 PM.png

Next, follow the steps outlined in the One-Armed VPN Concentrator Deployment Guide to configure the vMX.

On the site-to-site VPN page, add the BGP configuration provided by UCMC in order to peer your vMX with the UCM Cloud and receive the routes to your UCM Cloud infrastructure.

vMX Troubleshooting

The most common problem encountered when deploying a vMX is getting it provisioned and online in their Meraki dashboard in the first place. Additional troubleshooting/diagnosis messages have been added to the vMX console so you can identify what went wrong during the provisioning process.  When the vMX is deployed in UCMC, only the UCMC support team will have access to the VM console to diagnose below issues.

When the vMX boots it will execute the following steps during its initial provisioning process:

  1. Connect to network
  2. Obtain user data (vMX auth token)
  3. Authenticate with dashboard (using auth token)
  4. Connect to dashboard

Connect to Network

When a vMX first connects to a network it will do so via DHCP unless a static IP configuration is provided in the user-data. Once a vMX connects to dashboard (step 4 above), a static IP can be applied, just as it can with any Meraki product.

NFVIS is the only platform that currently supports static network configuration via user data for the initial vMX provisioning process (pre-dashboard check-in). Public cloud environments, such as AWS, Azure, GCP, and Alicloud, rely on DHCP from their VPC.

Please see the cloud-init section above for providing static IP information via user-data. If static network addressing is provided via the Day0 Config, it will be displayed on the vMX console as well as seen below.

The following errors will be displayed on the vMX console if incorrect network configuration is provided.

Invalid IP Address

Screen Shot 2020-11-03 at 4.48.21 AM.png

Invalid Subnet Mask

Screen Shot 2020-11-03 at 4.48.45 AM.png

Invalid Default Gateway

Screen Shot 2020-11-03 at 4.48.57 AM.png

Invalid DNS

Screen Shot 2020-11-03 at 4.49.09 AM.png

Screen Shot 2020-11-03 at 4.49.21 AM.png

Obtain User Data and Authenticate to Dashboard

Once a vMX has successfully connected to a network, it will then attempt to obtain its user data (vMX auth token). There are different user data mechanisms in each platform that provide the token to the vMX.  In AWS, Azure, GCP, and Alicloud there are user-data fields in the VM configuration where this can be provided. In CSP we use the Day0 Config mechanism to get this token to the vMX.

Unlike the network configuration above, the token is not displayed on the console for security and usability reasons (the token is a very long string that is meaningless to anyone looking at it). If you see a token value on the console, it means that the token was not provided in the format "token <token>" (note that token should be lowercase).

Token Expired

vMX authorization tokens have a lifetime of one hour for security purposes. If you see the following message on your vMX console it means the token you provided is no longer valid. Please generate a new one in dashboard, update the Day0 Config, and restart your vMX. The vMX will attempt to authenticate against dashboard with the provided token three times, after which, the provisioning process stops and the "provisioning failed" message is displayed.

Screen Shot 2020-11-03 at 4.52.10 AM.png

Invalid Token

If the token provided is incorrect in any way the "invalid token" message is displayed on the console.

Screen Shot 2020-11-03 at 4.52.17 AM.png

Unable to Reach Meraki Dashboard

If the vMX is unable to reach dashboard on TCP port 7734, the initial provisioning phase will fail and an "Unable to reach Meraki Dashboard" message will be displayed on the console. Please refer to the document listing the correct ports/IPs that need to be opened for Meraki dashboard communication.

Screen Shot 2020-11-03 at 4.52.25 AM.png

No Add vMX Button

When navigating to Security & SD-WAN > Monitor > Appliance Status, if there is no "Add vMX" button, please ensure the following two conditions are met:

  1. You have available vMX licenses in your license pool.
  2. Your organization license status is not expiring in < 30 days (yellow warning at the top of the Organization > Configure > License Info page)

Please note that Meraki support does not troubleshoot UCMC-specific firewall rules and deployments.


  • Was this article helpful?