- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 MXs on a Network
Hi,
I have a LAN where I would like to add an addiational gateway to a private cloud and VPN to another peer in that private cloud.
We already have an MX64 on the network with an internet facing IP. I'd like to add n extra gateway to face private cloud. Howevere I have just discovered you cannot have two MXs on the same network.
Can anyone advise options.
First MX64 (Internet Facing)
Second MX64 (Cloud facing handling private cloud traffic)
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can cretate a transit VLAN on both MX, and on Frist MX you can set a static routing for the network of private cloud, on second MX you can creat a static route for you internal LANs.
Or some thong like that.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you suggesting something like this?
I don;t think you can logically add two MX gateways to the same network in the Meraki portal
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not on the same network, you have to create separate networks. Some thing like this:
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thanks for your suggestion/diagram, however this will not work as the second MX is connecting to the Internet and not the private cloud.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not a secondary, but the MX need to have a internet connection. I will send a diagram for you.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just create another network for the second MX. Do you have a layer 3 device downstream from them that would have routes directing traffic to one MX or the other?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Basically we want to swap the ASA5505 in this diagram
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My suggestion is that the Switch is the network gateway and then on it you can create a default route pointing to the MX that will provide internet connection, and another static route to the private Cloud network pointing to the secondary MX IP as next hope.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But you cannot have two Meraki MXs in a Meraki Network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Man, just creat a new network.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, and then how would the new Merkai network that has no Internet Access (private cloud) route traffic to the other network that does have internet. I understand we can use use routes but physically what would be the best way to join them? Transit VLAN?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On the Wan port you can use a private IP and configure rules allowing communication with the Meraki dashboard, for the LAN you can use a transit VLAN and use statistical routes.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @Ryan_Miles . One small problem is that the private cloud WAN does not have any internet access for security reasons. Only access to the private cloud endpoints (a VPN server).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to configure a Wan port to communicate with Meraki cloud. For it you can use a private IP allowing just Meraki cloud communication.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Meraki MX WAN sits with its interface facing the private cloud with a private IP so the WAN port cannot talk to the internet. There is no internet access in the private cloud.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, It will not work, because MX needs to have communication with Meraki cloud. Keep using ASA.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could the second MX send Meraki Cloud traffic to a transit VLAN like this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nope, the MX can only reach the Internet via the WAN interface.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried putting the second MX on the same LAN earlier and created a bunch of static routes for Meraki cloud servers and some of the dashboard worked for the device although it reported the WAN as offline as expected.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All Cisco Meraki appliances require a working internet connection for communication with the Meraki dashboard and cloud management.
MX will use on its WAN (Internet) interface to communicate with the Meraki dashboard and to run its connectivity tests to monitor the uplink status.
https://documentation.meraki.com/MX/Monitoring_and_Reporting/Appliance_Status/MX_Uplink_Settings
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Disappointing, so Meraki MX cannot be used for any 'private cloud' facing connections. Official?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello ,
I suggest that you create a new network in the dashboard just to add the new MX . and then connect both MXs to one switch , and in the switch create 2 vlans , one Vlan would be redirected the the Old Mx and the second to the new one . but for management purposes your new MX needs to have internet access so try blocking everything on l3 rules except the Meraki flows .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@MariamT , this what I suggested him, but said that It cannot have any internet access.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, we have a worakaround, we have created a separate network for this appliance. Enabled site2site VPN Mesh mode and added an additional site2site VPN for the private cloud.
How do I force the traffic for the site2site 'Custom VPN' VPN over the correct WAN interface. Bearing in mind both WAN ports are enabled.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, I didn't suggest it before because you said that one of MX cannot have access to the internet, but ok.
Please, if this post was useful, leave your kudos and mark it as solved.