Meraki

Community

Firewall Failover without HA

JohnLacey2912
Conversationalist
‎Jun 13 2023 8:48 AM
‎Jun 13 2023 8:48 AM

Firewall Failover without HA

Hi All,

 

Having discovered (with your help) that OSPF on the MX95 only advertises VPN routes, I am looking at other options for site firewall resilience in case one or the other should fail. I believe it is the only single point of failure left in the network and could be fixed by adding a 2nd MX95 at each site and running 'warm spare' mode.

 

Have I missed anything? is there a way to create a policy to track an upstream IP address and change route 'weight' is the upstream device goes offline or any other way to achieve this? currently each site has a static default route pointing to the local MX95, but no mechanism to route via the 2 x 10G links between the cores.

 

many thanks in advance for any pointers,

Regards

John L.

 

 

Firewall Resilience v02.jpg

Labels:
1 Reply 1
alemabrahao
Kind of a big deal
‎Jun 13 2023 9:16 AM
‎Jun 13 2023 9:16 AM

Yes, the redundancy between the MXs is via Warm Spare.

 

If you are talking about SD-WAN specifically, you can create SD-WAN Policies to forward traffic to a specific WAN link.

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/SD-WAN_and_Traffic_Shaping#Flow_pre...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.