MX-84 HA One-Armed Concentrator

Azamat
Comes here often

MX-84 HA One-Armed Concentrator

Hi everyone, 

 

I would like to setup MX84 Firewall HA in one-armed concentrator mode and at this point, I'm very confused with provided documentation, and I hope you guys can help me.

Is it possible to use the private IP range for VRRP instead of public? To send traffic over the VPN tunnel, a new route must be added on the L3 switch. Does this mean I have to create a static route to the public VRRP address?

Here is my topology : topologgy.PNG

Thanks

4 REPLIES 4
ww
Kind of a big deal
Kind of a big deal

you can use private adresses. it just need to be able to connect to the meraki cloud.

 

apendix1 https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide

 

you could also use bgp for exchanging routes in your dc

Raj66
Meraki Employee
Meraki Employee

Hello @Azamat, Does the primary and the spare MXs have public IPs directly assigned to them on the WAN interface? If so, you need to use a public IP in the same subnet as the uplink IPs for the virtual IP. If you are using private IPs as WAN IPs for the MXs then you can use a private IP in the same subnet as the WAN IPs as a virtual IP.

 

Regarding the static route, the static route needs to be created on the upstream core switch pointing towards the Virtual IP it can be public or private depending on what you are using.

 

Let me know if you have any questions.

 

Cheers!

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
Azamat
Comes here often

Hi, @Raj66  thanks for the help. Yes, MXs have a public IPs and I successfully configured VRRP. I have another issue, however, I've created a static route on upstream L3 switch to VRRP virtual IP, but the route is not showing up in a routing table, but I can see it in the configuration, hence I'm not able to reach the branch offices. What could be the problem? IP routing is enabled on a switch and I'm able to route between, my VLANs. The model is Cisco 9500. 

Thanks!

Chilly
Comes here often

Hi, @Azamat 

 

Chances are there is already a route in the routing table with a lower cost/AD to the destination, therefore it will use that by default. Check to see if you have a default route or a direct connect. I use OSPF with our one armed concentrator and it works very well. Something to think about as it's much easier to scale.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels