Meraki

Community

MX - Asymmetric HA WAN Configuration

JLHG
Conversationalist
Monday
Monday

MX - Asymmetric HA WAN Configuration

I'm trying to plan out an HA MX deployment. We have 2 ISP connections. Our primary has 3+ static IPs for virtual IP mode. The secondary only has one static IP.

 

Can I configure the primary with a virtual IP on both MXs, and then configure the secondary with the same IP on both?

 

If that won't work, can I configure the primary in virtual IP mode and then configure the secondary ISP only on the primary MX?

 

Thanks!

Labels:
0 Kudos
4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal
Monday
Monday

>and then configure the secondary with the same IP on both?

 

No.  Well, I guess you could as long as you only plug in one at a time.  But generally, no.

 

Lets take a step back - do you even need to use virtual IP mode.  Because if the answer is no, things get simpler.

I probably use virtual IP mode on only 10% of deployments.

 

Virtual IP mode:

* Can made AutoVPN fail over a little bit faster.

* Makes client VPN failover a little bit faster.

* Is a must for third party site to site VPN connections where you need HA.

* It makes all outbound web browsing appear to always come from a single IP address, rather than two IP addresses.

 

Is any of the above "a must" for you?

In response to PhilipDAth
JLHG
Conversationalist
yesterday
yesterday

We will need HA site to site VPN in place at least in the short term. May eventually switch to an Azure vMX instead. Not sure if that alleviates the need for vIP.

 

You say it might work if I only have one plugged in at a time. Would that be the case for both ISPs or could I just have the backup connected to the primary MX like below and configure vIP on the primary ISP?
2024-12-17 10_56_39-Clipboard.png

 

That would mean the primary MX and the primary ISP would have to both fail for an outage to occur. That's acceptable for us if this could work.

0 Kudos
In response to JLHG
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

That approach used to work (I have used it many times).  The GUI has been stricter about requiring both WAN interfaces to have a VIP, or neither of them having it.

 

I would try it in this order:
Configure only WAN1, and enable VIP.

Now configure WAN2.

 

I expect that will bring it online, and everything will work fine, but you won't be able to go back and change the VIP configuration once WAN2 is configured.

In response to PhilipDAth
jimmyt234
Building a reputation
9 hours ago
9 hours ago

Definitely do it this way otherwise you need to faff around and disable WAN 2 on the Spare, strip out WAN 2 credentials from the Primary, reboot, turn around and touch your toes, hop on one leg 3 times and then it will let you add in the VIP on WAN 1 again. 🤣

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.