I would like to setup MX84 Firewall HA in one-armed concentrator mode and at this point, I'm very confused with provided documentation, and I hope you guys can help me.
Is it possible to use the private IP range for VRRP instead of public? To send traffic over the VPN tunnel, a new route must be added on the L3 switch. Does this mean I have to create a static route to the public VRRP address?
Hello @Azamat, Does the primary and the spare MXs have public IPs directly assigned to them on the WAN interface? If so, you need to use a public IP in the same subnet as the uplink IPs for the virtual IP. If you are using private IPs as WAN IPs for the MXs then you can use a private IP in the same subnet as the WAN IPs as a virtual IP.
Regarding the static route, the static route needs to be created on the upstream core switch pointing towards the Virtual IP it can be public or private depending on what you are using.
Let me know if you have any questions.
If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
Hi, @Raj66 thanks for the help. Yes, MXs have a public IPs and I successfully configured VRRP. I have another issue, however, I've created a static route on upstream L3 switch to VRRP virtual IP, but the route is not showing up in a routing table, but I can see it in the configuration, hence I'm not able to reach the branch offices. What could be the problem? IP routing is enabled on a switch and I'm able to route between, my VLANs. The model is Cisco 9500.
Chances are there is already a route in the routing table with a lower cost/AD to the destination, therefore it will use that by default. Check to see if you have a default route or a direct connect. I use OSPF with our one armed concentrator and it works very well. Something to think about as it's much easier to scale.