2 MXs on a Network

tonsai
Here to help

2 MXs on a Network

Hi,

 

I have a LAN where I would like to add an addiational gateway  to a private cloud and VPN to another peer in that private cloud.

 

We already have an MX64 on the network with an internet facing IP. I'd like to add n extra gateway to face private cloud. Howevere I have just discovered you cannot have two MXs on the same network. 

 

Can anyone advise options.

 

First MX64 (Internet Facing)

Second MX64 (Cloud facing handling private cloud traffic)

 

Thanks

25 Replies 25
alemabrahao
Kind of a big deal
Kind of a big deal

You can cretate a transit VLAN on both MX, and on Frist MX you can set a static routing for the network of private cloud, on second MX you can creat a static route for you internal LANs.

 

Or some thong like that.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Are you suggesting something like this?

 

tonsai_0-1676474400109.png

I don;t think you can logically add two MX gateways to the same network in the Meraki portal

alemabrahao
Kind of a big deal
Kind of a big deal

Not on the same network, you have to create separate networks. Some thing like this:

 

 

alemabrahao_0-1676476466880.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Hi, thanks for your suggestion/diagram, however this will not work as the second MX is connecting to the Internet and not the private cloud.

alemabrahao
Kind of a big deal
Kind of a big deal

It's not a secondary, but the MX need to have a internet connection. I will send a diagram for you.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Ryan_Miles
Meraki Employee
Meraki Employee

Just create another network for the second MX. Do you have a layer 3 device downstream from them that would have routes directing traffic to one MX or the other?

Ryan / Meraki Solutions Engineer

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

Basically we want to swap the ASA5505 in this diagram

Diagram.png

alemabrahao
Kind of a big deal
Kind of a big deal

My suggestion is that the Switch is the network gateway and then on it you can create a default route pointing to the MX that will provide internet connection, and another static route to the private Cloud network pointing to the secondary MX IP as next hope.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

But you cannot have two Meraki MXs in a Meraki Network.

alemabrahao
Kind of a big deal
Kind of a big deal

Man, just creat a new network.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Thanks, and then how would the new Merkai network that has no Internet Access (private cloud) route traffic to the other network that does have internet. I understand we can use use routes but physically what would be the best way to join them? Transit VLAN?

alemabrahao
Kind of a big deal
Kind of a big deal

On the Wan port you can use a private IP and configure rules allowing communication with the Meraki dashboard, for the LAN you can use a transit VLAN and use statistical routes.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Thanks @Ryan_Miles . One small problem is that the private cloud WAN does not have any internet access for security reasons. Only access to the private cloud endpoints (a VPN server).

alemabrahao
Kind of a big deal
Kind of a big deal

You need to configure a Wan port to communicate with Meraki cloud. For it you can use a private IP allowing just Meraki cloud communication.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
tonsai
Here to help

The Meraki MX WAN sits with its interface facing the private cloud with a private IP so the WAN port cannot talk to the internet. There is no internet access in the private cloud.

alemabrahao
Kind of a big deal
Kind of a big deal

So, It will not work, because MX needs to have communication with Meraki cloud. Keep using ASA.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Could the second MX send Meraki Cloud traffic to a transit VLAN like this?

Basic Network Security Diagram.png


alemabrahao
Kind of a big deal
Kind of a big deal

Nope, the MX can only reach the Internet via the WAN interface.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
tonsai
Here to help

I tried putting the second MX on the same LAN earlier and created a bunch of static routes for Meraki cloud servers and some of the dashboard worked for the device although it reported the WAN as offline as expected.

alemabrahao
Kind of a big deal
Kind of a big deal

All Cisco Meraki appliances require a working internet connection for communication with the Meraki dashboard and cloud management.

 

MX will use on its WAN (Internet) interface to communicate with the Meraki dashboard and to run its connectivity tests to monitor the uplink status. 

 

https://documentation.meraki.com/MX/Monitoring_and_Reporting/Appliance_Status/MX_Uplink_Settings

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
tonsai
Here to help

Disappointing, so Meraki MX cannot be used for any 'private cloud' facing connections. Official?

MariamT
Here to help

Hello ,

 

I suggest that you create a new network in the dashboard just to add the new MX . and then connect both MXs to one switch , and in the switch create 2 vlans , one Vlan would be redirected the the Old Mx and the second to the new one . but for management purposes your new MX needs to have internet access so  try blocking everything on l3 rules except the Meraki flows .

alemabrahao
Kind of a big deal
Kind of a big deal

@MariamT , this what I suggested him, but said that It cannot have any internet access.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Sainot
Conversationalist

ok, we have a worakaround, we have created a separate network for this appliance. Enabled site2site VPN Mesh mode and added an additional site2site VPN for the private cloud.

 

How do I force the traffic for the site2site  'Custom VPN' VPN over the correct WAN interface. Bearing in mind both WAN ports are enabled.

alemabrahao
Kind of a big deal
Kind of a big deal

Well, I didn't suggest it before because you said that one of MX cannot have access to the internet, but ok.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels