Skip to main content

 

Cisco Meraki Documentation

vMX Setup Guide for KVM

  1. Last updated
  2. Save as PDF

Overview 

This document is a walkthrough for setting up a virtual MX (vMX) appliance in KVM Hypervisor. After completing the steps outlined in this document, you will have a virtual MX appliance running in KVM that serves as an Auto VPN termination point for your physical MX devices. 

 

Meraki Dashboard Configuration 

The steps in this section will walk you through creating a new vMX network in your Dashboard Organization.  If needed, please refer to the guide on creating a new network in the Meraki dashboard. 

1. Add license(s) to the Meraki dashboard 

To complete the vMX Meraki dashboard configuration, a vMX license must be available for use in your organization. 

If your organization has already reached its vMX license limit, you will be unable to create new vMX networks until a vMX network is deleted, or additional vMX licensing added. 

If you do not have access to a vMX license or require additional vMX licenses, please reach out to your Meraki reseller or sales representative. 

  

2. Create a "Security appliance" network type:  

  

 

 

  

  

 

3. Assign vMX type to network 

Once you have created the "Security appliance" network and added the appropriate license you will be able to deploy a new vMX to your network by clicking on the 'Add vMX' button. 

  

 

  

4. Generate the authentication token 

Before generating the token, please verify the firmware is configured for MX 26.1.2 or higher. If the vMX network firmware is set to anything below that, the upgrade will not occur. 

After you add the new vMX to your network, navigate to Security & SD-WAN > Monitor > Appliance status and select “Generate authentication token” to generate the token to be provided to KVM as a CD-ROM in later steps 

NOTE: Generate Authentication Token button on the left pane, under CONFIG and above "Remove Appliance From Network" 

  

5. Copy the newly generated token and save it for later.  

The newly generated token will be provided as a CD-ROM when deploying an instance.  

The authentication token must be entered into the instance and used to connect to the Dashboard within one hour of generating it, otherwise a new token must be generated.  

 

Obtaining the image 

The vMX image for KVM can be obtained via the Cisco Downloads site. The link below will take you there: https://software.cisco.com/download/beta/1970167152

 

Recommended vMX Sizing 

Below are the recommended resource allocations for each vMX. Please reference the MX Sizing guide if you have questions on which vMX is right for you.  

 

Cores 

Memory 

VMX-S 

4 GB 

VMX-M 

4 GB 

VMX-L 

4+  

8+ GB 

 

NOTE: When the image is imported as a disk in the KVM environment, the command will auto-allocate the storage as follows:  

  • EFI: 6 GB 

The above allocation is fixed and cannot be changed 

Proxmox 

Proxmox Virtual Environment (VE) is a powerful, open-source platform that unites KVM-based virtual machines and lightweight containers within a single, web-based dashboard. By serving as a comprehensive management layer on top of Debian Linux, it streamlines the deployment, scaling, and monitoring of complex virtual infrastructures. 
 

Pre-requisists 

  • Proxmox version: v8.0.3 

  • Root access to the Proxmox VE 

 

Deploy to KVM Proxmox instance 

Below are the steps to deploy a vMX to KVM based Proxmox 

Step 1: SCP the meraki_efi.qcow2 image to your Proxmox image store and create a new VM.

 

  

Step 2: On the OS configuration tab, select ‘Do not use any media for the OS disk.' 

 

 

  

Step 3: Under the System Settings tab, ensure the q35 machine is selected.  

Select the OVMF (UEFI) Firmware BIOS. Ensure the Add EFI disk option is selected. If enabling Secure Boot for the vMX, select “Pre-Enroll keys” and follow the instructions in the Secure Boot Configuration section. 

 

 


Optional Step: Enable the TPM (Trust Platform Module) to enable secure storage.  

NOTE: This can be done during or after deployment. VMX will reboot once to encrypt the storage. The steps to enable TPM post deployment are included at the end of this section.  

 

Step 4: Delete any disks present in the Disks section 

 

 

 

Step 5: Select the host CPU Type in the CPU section and make your selection for the number of Cores. On the Memory and Network sections make selections relevant to your deployment and environment configuration. 

 

Step 6: Convert the qcow2 image you moved to the Proxmox server to a raw disk, import the disk image, attach it as ide0, and set it as the boot device. 

$ qemu-img convert -f qcow2 -O raw $qcow2_upload_path $disk_img_path 

$ qm disk import $VMID $disk_img_path local-lvm 

< provides some unused0:local-lvm:disk-identifier you'll want in the next step> 

$ qm set $VMID --ide0 local-lvm:vm-$VMID-disk-$DISKID 

$ qm set $VMID --boot order=ide0 

  

WARNING: Disk has to be imported as IDE0 or it will fail 

 

# A real example 

$ qemu-img convert -f qcow2 -O raw /var/lib/vz/template/iso/ra/meraki.qcow2 /var/lib/vz/template/iso/ra/meraki.img 

$ qm disk import 502 /var/lib/vz/template/iso/ra/meraki.img local-lvm 

$ qm set 502 --ide0 local-lvm:vm-502-disk-1 

$ qm set 502 --boot order=ide0 

 

Step 7: Finally, a Dashboard auth-token has to be provided as a CD-ROM. 

$ echo "token $TOKEN" > /tmp/user-data 

$ mkisofs -output /var/lib/vz/template/iso/token.iso -volid cidata -joliet -rock /tmp/user-data 

$ qm set $VMID --ide2 media=cdrom,file=/var/lib/vz/template/iso/token.iso 

Note: If Secure Storage is required, please proceed to the next steps.  

 

Adding TPM state to an existing instance 

This step is needed to enable Secure Storage on a deployed instance.  

Please note that enabling TPM on a running vMX will cause the instance to reboot 

 

Step 1: Choose the local-lvm as the TPM location. 

 

 

Step 2: Start the instance.  

The vMX will then connect to Dashboard and show online status. This will take around 5 minutes.  

 

Secure Boot Configuration 

The following steps walk through how to enable Secure Boot on your Proxmox vMX.  

Open the console to the vMX, power on the instance, and hit the ESC key to enter the BIOS menu. 

 

Select the ‘Device Manager’ option. 

 

Navigate to the ‘Secure Boot Configuration’ menu, and enter the ‘Custom Mode’. 

 

Select ‘Custom Secure Boot Options’ and navigate through to the ‘DB Options’ and ‘Enroll Signatures’ selection 

Select ‘Enroll Signature Using File’ and navigate to MERAKI_BOOT/EFI/BOOT/ and select the BOOTX64.efi file. Select ‘Commit Changes and Exit’. 

 

 

Return to the Boot Menu and select ‘Continue’ to perform Secure Boot of the vMX. 

 

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    How-to
  2. Tags
    1. on-prem
    2. onprem
    3. private cloud vmx