Meraki

Community

MX - Migrating WAN Public IP Addresses

Solved
JPScolar
Here to help
‎Apr 3 2025 7:02 AM
‎Apr 3 2025 7:02 AM

MX - Migrating WAN Public IP Addresses

Hello,

I'm upgrading connectivity for a group of MXs which already have  Public IP addresses. The new Internet connectivity for each MX is from a different ISP, so  I will have to change the  public IP Address.

 

Any advise or recommendation on how to ease this transition?  I heard Dual-Homing may help but I'm not sure how this works.

 

All comments are much welcome. 

Juan-Carlos Perez
Labels:
0 Kudos
1 Accepted Solution
In response to JPScolar
Mloraditch
Kind of a big deal
Kind of a big deal
‎Apr 3 2025 1:24 PM
‎Apr 3 2025 1:24 PM

If we are talking about third party VPNs that's really a question for those providers as to what they can accommodate schedule wise. Even if you are able to bring up the new ISP on the secondary WAN port, third party VPNs only originate from the designated primary uplink (can be either the primary or secondary wan port) of the primary MX. They will all need to be changed at the same time or as close as possible.

For anything NAT'd you can define a new NAT/FW Rule on the secondary WAN and just have the vendor point to the new ip at a convenient time. Both WANs will work simultaneously.

For a website where you have a public ip lock, i.e. a time clock provider where you only allow access from your designated IPs you should be able to just provide the new IPs and then remove the old once it's terminated.


If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

0 Kudos
7 Replies 7
Mloraditch
Kind of a big deal
Kind of a big deal
‎Apr 3 2025 7:10 AM
‎Apr 3 2025 7:10 AM

Do you currently  have multiple ISPs? If not you can put the new ISP into the secondary WAN of the MXs. Verify everything is working, then change your primary uplink to the new WAN.

If you do have multiple ISPs already you would need to disconnect one in order to program the new, but you can similarly set your flow preferences/load balancing to only use the WAN you are keeping then swap the one you are replacing, test and restore your flow setup

https://documentation.meraki.com/MX/Monitoring_and_Reporting/Appliance_Status/MX_Uplink_Settings

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Load_Balancing_and_Flow_Preferen...

 

 

 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 3 2025 7:13 AM
‎Apr 3 2025 7:13 AM

Assuming you have both WANs working, you just need to reconfigure the desired WAN interface.

If you only have one working, you can configure the second WAN temporarily.

I recommend doing this during a scheduled maintenance window.

If you have any NAT, you will need to reconfigure that as well.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
cmr
Kind of a big deal
Kind of a big deal
‎Apr 3 2025 7:21 AM
‎Apr 3 2025 7:21 AM

Making changes to the WAN IP addresses is likely to interrupt all traffic on the MXs for a moment in my experience.  As @alemabrahao said, plan to do it in a maintenance window.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
MaghM
Meraki Employee
Meraki Employee
‎Apr 3 2025 8:13 AM
‎Apr 3 2025 8:13 AM

Hi @JPScolar 

 

>Better to do in maintenance window

>Better to be configured on the Local Status Page of the device, as if the new config doesn't work, it will revert to what it's configured previously on the LSP.

>If you notice any issue take packet capture on the internet 1/2 from the dashboard and check if the device is getting response from the ISP

>Make sure all the cloud connectivity ranges are enabled on the ISP, this can be found on help>firewall info, 1st rule

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
GarageLand42
Here to help
‎Apr 3 2025 8:30 AM
‎Apr 3 2025 8:30 AM

Just in case, you should also have Local Access to the MX device.   You can them web into MX.Meraki.com and configure the IP.

 

0 Kudos
JPScolar
Here to help
‎Apr 3 2025 11:17 AM
‎Apr 3 2025 11:17 AM

Thank you for all the comments. Allow me to clarify a bit my question. My focus here is on the Public IP Transition.  All partners and service providers using the Legacy IP will have to update their records, so there will be a glitch (All IPSec tunnels with Service Providers for instance).  I'm looking for ideas on how to minimize  this glitch or shorten the transition time as much as possible. 

 

Juan-Carlos Perez
0 Kudos
In response to JPScolar
Mloraditch
Kind of a big deal
Kind of a big deal
‎Apr 3 2025 1:24 PM
‎Apr 3 2025 1:24 PM

If we are talking about third party VPNs that's really a question for those providers as to what they can accommodate schedule wise. Even if you are able to bring up the new ISP on the secondary WAN port, third party VPNs only originate from the designated primary uplink (can be either the primary or secondary wan port) of the primary MX. They will all need to be changed at the same time or as close as possible.

For anything NAT'd you can define a new NAT/FW Rule on the secondary WAN and just have the vendor point to the new ip at a convenient time. Both WANs will work simultaneously.

For a website where you have a public ip lock, i.e. a time clock provider where you only allow access from your designated IPs you should be able to just provide the new IPs and then remove the old once it's terminated.


If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.