Planning Your Cisco MVE Deployment

This topic provides an overview of the provisioning process and describes deployment considerations for the Megaport Virtual Edge (MVE).

Appliance modes

Cisco MVE offers these appliance modes, each tailored to different deployment needs. Selecting the appropriate mode determines how you configure, manage, and use your Cisco MVE.

Autonomous Mode – Supports Cisco IOS XE non-SD-WAN deployment for traditional routing without SD-WAN functionality. This mode provides access to the full Cisco IOS XE software features and technologies. For more information, see Creating a Cisco MVE in Autonomous Mode.
Tip

To learn more about Cisco Catalyst Edge software, see:
- Cisco Catalyst 8000V Edge Software Data Sheet
- Cisco Catalyst 8000V Edge Software Installation And Configuration Guide
SD-WAN Mode (vManage) – Supports the Cisco SD-WAN solution. This mode uses the existing SD-WAN functionality with no changes. To operate with Cisco SD-WAN, a new MVE must be provisioned in SD-WAN mode. For more information, see Creating a Cisco SD-WAN MVE in vManage.
Cisco Meraki Mode – Enables a cloud-managed SD-WAN deployment, managed through the Cisco Meraki platform. This mode is ideal for users preferring a simplified, cloud-based SD-WAN solution for branch connectivity. Requires a Cisco Meraki authorization token for configuration. For more information, see Creating an MVE with Cisco Meraki.
Cisco Secure Firewall Threat Defense Virtual (FTDv) Mode – Provides integrated security with Cisco FTDv for customers needing firewall protection as part of their deployment. It is configured through Cisco FMC, with a focus on consistent security policies across network environments. For more information, see Creating an MVE with Cisco Secure Firewall Threat Defense Virtual.

Appliance Mode	Features
Autonomous	Includes full Cisco IOS XE functionality for routing Configured through the Megaport Portal or API User provides an SSH key to access the router Does not require SD-WAN
SD-WAN	Supports Cisco IOS XE SD-WAN, including Cisco Meraki SD-WAN integration Configured via Cisco vManage User provides a cloud-init file, generated by vManage and uploaded through Megaport Portal or API
Cisco Meraki	Cloud-managed SD-WAN for simplified deployment Integrates with Megaport MVE for multi-branch scalability Requires Cisco Meraki authorization token
Secure Firewall Threat Defense Virtual (FTDv)	Provides comprehensive firewall protection Integrated with Cisco Secure Firewall Threat Defense Virtual Requires FMC registration key for licensing

Important

You select the appliance mode when you configure the MVE. After selecting a mode and deploying the MVE, you cannot change the appliance mode.

Deployment considerations

This section provides an overview of the MVE deployment options and features.

SD-WAN vendors

Cisco offers a range of solutions for MVE, providing both advanced routing capabilities and robust security options. Depending on your needs, you can deploy a Cisco MVE C8000V for routing and SD-WAN functionalities, use Cisco Meraki for cloud-managed SD-WAN with simplified management, or use Cisco Secure Firewall Threat Defense Virtual to ensure consistent security policies across various environments.

For information about all supported NFVsThe MVE is an on-demand, vendor-neutral Network Function Virtualization (NFV) platform that provides virtual infrastructure for network services at the edge of Megaport’s global software-defined network (SDN). Network technologies such as SD-WAN and NGFW are hosted directly on Megaport’s global network via Megaport Virtual Edge.
on the MVE platform, see the Megaport Virtual Edge (MVE) product page.

MVE locations

For a list of global locations where you can connect to an MVE, see Megaport Virtual Edge Locations.

Sizing your MVE instance

The instance size determines the MVE capabilities, such as how many concurrent connections it can support.

When choosing an MVE instance size, keep in mind these items:

Any increase on the network data stream load can degrade performance. For example, establishing secure tunnels with IPsec, adding traffic path steering, or using deep packet inspection (DPI) can affect the maximum throughput speed.
Future plans to scale the network.

To check which MVE instance sizes are available for your deployment, use the Megaport Portal during the MVE setup process. Instance size availability depends on both the selected vendor and the deployment location, and might vary accordingly. The Megaport Portal displays the sizes that are available for your selected vendor and location.

To check the MVE instance sizes in the Megaport Portal

In the Megaport Portal, go to the Services page.
Click Create MVE.
Select the relevant Cisco product.
Select the software version.
Click Next.
Select an MVE location.

Select a location geographically close to your target branch and/or on-premises locations.

You can use the Search field to find the Port name, Country, Metro City, or address of your destination Port. You can also filter by diversity zone.
A list of available instance sizes appear based on the selected location. Available sizes are highlighted in green and labeled Available. The sizes support varying numbers of concurrent connections, and individual partner product metrics vary slightly.

Note

If the MVE size you want is not in the list, then there is not enough capacity at the selected location. You can either select another location with enough capacity or contact your Account Manager to discuss requirements.

What if I need more MVE capacity in the future?

To increase your MVE capacity, you have these options:

You can provision another MVE instance, add it to your SD-WAN overlay network, and split the workload between the two MVEs.
You can provision a larger MVE instance, add it to your SD-WAN overlay network, migrate connections from the old MVE to the new larger MVE, and then retire the old MVE.

You can adjust the Megaport Internet bandwidth at any time without having to tear down the virtual machine.

Security

MVE provides secure capacity to and from your internet-enabled branch locations, to any endpoint or service provider on the Megaport SDN. CSP-hosted instances of partner SD-WAN products route critical traffic across the Megaport SDN, reducing internet dependence. Traffic remains encrypted and under your policy control while traveling across the Megaport SDN, to or from, MVE.

Licensing

Cisco C8000 licensing

You bring your own Cisco Interconnect Gateway (Cisco Catalyst 8000V Edge Software) Smart License for Cisco for use with MVE.

The Catalyst 8000V license is part of Cisco DNA and is based on bandwidth tiers. New customers need a Catalyst 8000v license with Tier 2 bandwidth (DNA-C8KV-T2-A-SDCI) for small and medium MVE instances, or a Catalyst 8000V license with Tier 3 bandwidth (DNA-C8KV-T3-A-SDCI) for large MVE instances.

If you already have Catalyst 8000V licenses and subscriptions, MVE requires Cisco DNA Premier or Cisco DNA Advantage subscriptions and Tier 2 (for small and medium instances) or Tier 3 (for large instances) bandwidth.

You can order the solution through Cisco partners, who can order all components through Cisco Commerce Workspace (CCW). For more information, discuss licensing with your Account Manager and see the Cisco Catalyst 8000V Edge Software Ordering Guide.

Cisco Meraki licensing

For Cisco Meraki you need to create a valid authorization token in the Cisco Meraki SD-WAN portal. For more information, discuss licensing with your Account Manager and see the Cisco Secure Access Meraki SD-WAN Configuration Guide.

Cisco Secure Firewall Threat Defense Virtual licensing

For Cisco Secure Firewall Threat Defense Virtual, you need an FMC Registration Key from the Cisco Portal.

VLAN tagging

Megaport uses Q-in-Q802.1Q tunneling (also known as Q-in-Q or 802.1ad) is a technique used by OSI Layer 2 providers for customers. 802.1ad provides for both an inner and an outer tag whereby the outer (sometimes called S-tag for service provider) can be removed to expose the inner (C-tag or customer) tags that segment the data.
to differentiate VXCs and MVEs on a host hardware system. The tenant MVE receives untagged traffic for the internet-facing link, and single-tagged 802.1Q traffic for VXCs toward other destinations on the Megaport network (such as CSP on-ramps or other MVEs). For more information, see Configuring Q-in-Q.

Cisco Meraki VLAN tagging

Since Cisco Meraki does not support VLAN tagging, set the Preferred A-End VLAN to Untag to ensure proper connectivity. For more information, see Creating an MVE with Cisco Meraki.

vNICs

Each MVE can have up to five vNICs. An MVE is created with one vNIC by default. You can add up to four more, making a total of five.

Each MVE for Cisco Secure Firewall Threat Defense Virtual is configured with four vNICs by default. The vNICs are:

0: Management
1: Diagnostic
2: Data1
3: Data2

Each MVE for Cisco Meraki is configured with two vNICs by default. The vNICs are:

0: WAN
1: LAN

Before specifying the number of vNICs on your MVE:

Be aware that the number of vNICs cannot be changed after an MVE has been ordered. Decide in advance how many vNICs to specify when you create the MVE.
Consult your service provider to make sure that functionality won’t be affected if you add a vNIC.

Note

If you need to change the number of vNICs after an MVE has been ordered, you will have to cancel and re-order the MVE.

For more information, see Types of vNIC Connections.