Best procedure to follow while implementing HA of MX 250 devices

RajaSekhar
Here to help

Best procedure to follow while implementing HA of MX 250 devices

Hello..Greetings.

 

We wish to configure HA of MX 250 appliance at our network perimeter.

This device is configured as a HUB in the Meraki ORG.

Have another MX 250 ready to build HA.

Around 300 Client VPN users connect to MX 250 (HUB) for access of servers at DC

The site to site VPNs (using MX devices) are configured and connected through SD-WAN

Presently we have only one Public WAN IP (configured on WAN port of Primary MX 250)

Obtained another pool of public WAN IPs of /29. So that both the MX 250s can have new WAN IP and VIP after this configuration changes.

Client VPNs can be configured using VIP after this config change.

Can anyone of you suggest a best practice to follow to implement the above with minimal impact to the users?

 

Thanks in advance.

3 Replies 3
rhbirkelund
Kind of a big deal
Kind of a big deal

I would probably try going through these steps:

 

  • Migrate working (Master to be) MX to new /29-pool and ensure that works
  • Add (offline!) slave MX to dashboard and configure it as slave
  • Connect slave MX WAN
  • Power up slave MX
  • Ensure slave MX has cloud conenctivity
  • Make sure slave MX is updated and its configuration is synced. It will probably reboot a couple of times.
    • You'll also notice that it will go into Dual Master mode. This is expected since, there are no LAN connectivity as of yet.
  • Mirror LAN connections on the slave MX.
  • Configure Virtual IP
  • Migrate all Client VPNs towards Virtual IP.

 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
RajaSekhar
Here to help

Thank you for the Logical and doable inputs.

Interested in knowing how can we minimize 'Client VPN migration' time as the users are spread across geographically. 

rhbirkelund
Kind of a big deal
Kind of a big deal

Your Client VPNs should still work whether they are pointing to the Master MX IP or Virtual IP. The Client VPNs would fail if the master MX fails, and failover occurs, if they are still pointing to the master.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels