Double NAT with High-Availability

New here

Double NAT with High-Availability

I don't see why logically this wouldn't work, but I was wondering if anyone knows for sure before we take the plunge and order the kit (2 x MX84 with a planned HA setup).


We have 2 Internet connections. 1 is an fibre Ethernet leased line service a /29 public subnet, and we have sufficient (2) unused IP addresses from the /29, which we can use up for a HA / warm-spare setup


The other is an ADSL / PPPoA connection with 1 dynamic IP address (and no realistic option to change this in the short term).


What we're thinking about for the ADSL / PPPoA connection, is (because we don't really care about inbound traffic / port forwarding from WAN to LAN):


PPPoA router WAN interface - gets dynamic public IP address from ISP

PPPoA LAN inteface (has a 4-port Ethernet switch built-in) - something like Connect "Internet 2" on each of my MX84 units to ports on this.


Each MX84 is statically assigned a private IP address from the (e.g. and and the virtual IP can be


Will that be enough for the HA connectivity to work?


Thanks for your help in advance.



4 Replies 4
Kind of a big deal

Your PPPoA router will be the single point of failure for the secondary connection but apart from that I don't see why that wouldn't work.


Test the failover though!

Kind of a big deal

Always and forever: test your failover before something dies on you.


If it works out, could you let us know? Thanks!

Getting noticed

As mentioned by others I don’t see why this wouldn’t work. You mentioned you have 2 available IP’s on wan1 for HA. You really need 3 to include the vrrp address. Not vital but best practice.



Kind of a big deal
Kind of a big deal

I have done this many times and it works fine.


I have even done this in DC deployments.  I tend to use NAT mode event for AutoVPN hubs.  I use the primary WAN ports plugged into the DC Internet circuit, and then the secondary WAN port into a seperate consumer grade Internet circuit (albeit I try to get the nicest consumer grade circuit I can).


When you eventually have a catastrpohic DC failure (and you will eventually, no matter no bullet proof the design is [ps. humans are the biggest danger]) it is very usefull being able to see if the DC MXs are still up, and to be able to do pings from them.


I have only had one customer actually use this DC approach in anger.  They have two geographically seperated DCs and had the improbable event of a partial power failure affecting both sites at the same time (a full power falure at one DC would have probably saved them, but alas not so lucky).  The power failure didn't take out everything but did take out their primary Internet feed across the two sites.  The actual compute farm and core switching remained up enough to be functional (although somewhat wounded).

In their case the remote AutoVPN sites failed over to the consumer Internet circuit and although they suffered a performance hit their core business application kept working allowing everyone else to run around like headless chickens trying to get their Internet presence back online (some exageration there).


So that extra $100 per month prevented the entire company company to a standstill.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.