Meraki

Community

MX HA System - Dual ISP no VIP

mcnallymdj
New here
‎Nov 6 2023 5:03 AM
‎Nov 6 2023 5:03 AM

MX HA System - Dual ISP no VIP

 Wandering if anyone done this before

 

Would have two MX Appliances as Warm Standby in Router Mode.

 

ISP1 would be plugged into Active

ISP2 would be plugged into Standby

 

No switch on the WAN side so ISP straight into the MX WAN Port effectively making them CPE kit talking to the ISP.

 

Obviously would have to use the Use MX uplink IPs option as no VIP would be possible.

 

Would then have VPN Concentrator at Main Location.

 

Would then like to establish VPN from the Location with the MX Appliances to the Concentrator.

 

This would then establish from each ISP link separately?  In terms of failover then would this keep the client to server connection open with this VPN Failover? or would that really be App dependent.

Labels:
0 Kudos
6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 6 2023 5:16 AM
‎Nov 6 2023 5:16 AM

I don't quite understand your question, but I would consider taking a look at the best practices guide.

 

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
mcnallymdj
New here
‎Nov 6 2023 5:52 AM
‎Nov 6 2023 5:52 AM

What looking for isn't in there.

 

Will try and explain again what looking for

 

MX1 - 1 ISP Connection    Public_IP_Block_A eg 40.40.40.40/31

MX2 - 1 ISP Connection    Public_IP_Block_B eg 50.50.50.50/31

 

The ISP Connections are separate WAN Connections so no external switch and VRRP etc on the WAN Side and the Connection terminated on each MX Appliance.

 

MX2 is a Warm Standby for MX1

 

Then use the SDWAN functionality to build VPN from the MX to a VPN Concentrator.

 

The VPN would initially be seen from 40.40.40.40 as that is ISP1

However if there was a failover to the Warm Standby then would be seen from 50.50.50.50 as would now be on the ISP2.

 

Solved: Dual redundant mx devices but with separate ISP on each WAN 1 port - The Meraki Community

 

Was a similar topology however was not doing any of the SD-WAN functionality or VPN.     I know from other vendors that can do a straight firewall topology like this however the VPN doesn't work in that topology so don't want to presume that this would work with the VPN properly either in Meraki.

0 Kudos
In response to mcnallymdj
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 6 2023 5:56 AM
‎Nov 6 2023 5:56 AM

Auto-VPN is ISP independent (which is one of the biggest advantages of SD-WAN), so yes the tunnel will continue to work. Now if you have a non-Meraki VPN (S2S VPN with third parties) you will need to have a tunnel with each of the MXs.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to mcnallymdj
zahid7251
New here
‎Nov 6 2023 11:20 AM
‎Nov 6 2023 11:20 AM

I tested this with MX250 in 2018 and if I recall it did not work. It was on a very different code from 18.107.x currently being used. Meraki did not have Active/Active tunnels on ISP1 and ISP2 back then. 

This was in a lab and shut down the uplink switch port that was ‘ISP-1’ on MX-A. SD-WAN traffic stopped. I had to failover MX in the dashboard, and then tunnels connected on MX-B. I don’t recall if the Internet kept working.

0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Nov 6 2023 10:30 AM
‎Nov 6 2023 10:30 AM

It isn't best practice but it would work for SD-WAN traffic and outbound traffic.
Port forwarding is problematic since you have a completely different IP subnet on your secondary so in a device failure scenario those won't work.
It would be better if you could stretch both ISP's to both datarooms and having a /29 subnet or a private NAT'ed subnet.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 6 2023 11:21 AM
‎Nov 6 2023 11:21 AM

That will work fine.

 

>This would then establish from each ISP link separately? 

 

No.  In this configuration they would only connect to the primary MX unless it failed, and then they would connect to the standby MX.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.