Meraki

Community

MX VLAN NAT & SD-WAN Backup Questions

Solved
jOMeraki2
Getting noticed
2 weeks ago
2 weeks ago

MX VLAN NAT & SD-WAN Backup Questions

Hello Meraki community,

 

I have a few design questions regarding Cisco Meraki MX.

VLAN Source NAT
My ISP provides multiple public IPs from the same subnet on a leased line. I have several VLANs and would like specific VLANs to use different public IPs for outbound traffic instead of always using the primary WAN IP.

Example:
VLAN10 → Public IP A
VLAN20 → Public IP B

Is it possible to control outbound source NAT per VLAN? If not, is there any recommended workaround (for example using )?

--------------------------------------------------------------------------------

Client using a specific public IP
If I have multiple public IPs on the same WAN, is it possible to force a specific client or internal IP to go out to the internet using a specific public IP (not the primary WAN IP)?
---------------------------------------------------------------------------------------

WAN / SD-WAN design
Currently I have:
WAN1 → Primary ISP
WAN2 → Secondary ISP

I am considering adding another connection to the same ISP router as WAN1 but using a different public IP from the same subnet.

Example:
WAN1 → ISP Router → Public IP A
WAN2 → Different ISP
WAN3 → Same ISP Router → Public IP B

In this scenario, can WAN3 be used in SD-WAN Flow Preferences as a backup path, or will the MX treat WAN1 and WAN3 as the same uplink since they are connected to the same router/subnet?

Thank you.

Labels:
0 Kudos
1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

The MX  does not support source NAT, so it's not possible to have the client access the internet with a different IP address than the one configured on the WAN.

As for WAN 3, it's a backup interface; that is, WAN 1 and WAN 2 remain active, and WAN 3 will only become active if one of the two active WANs fails.

 

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Operate_and_Maintain/How-Tos/MultiWAN#MultiWAN_B...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

The MX  does not support source NAT, so it's not possible to have the client access the internet with a different IP address than the one configured on the WAN.

As for WAN 3, it's a backup interface; that is, WAN 1 and WAN 2 remain active, and WAN 3 will only become active if one of the two active WANs fails.

 

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Operate_and_Maintain/How-Tos/MultiWAN#MultiWAN_B...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
GIdenJoe
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Traffic initiated from inside going to a WAN will always be NAT'ed to either the physical IP or Virtual IP(in case of HA pair).

The 1:1 and 1:Many NAT functionalities are meant for traffic initiated from the outside going in.

I haven't tested 1:1 NAT's recently to see if their traffic is always NAT'ed to that IP but this is irrelevant for your design question.

JosephWalters
New here
a week ago
a week ago

Avec les MX Meraki, le contrôle du source NAT est assez limité. Par défaut, tout le trafic sortant utilise l’IP publique principale de l’interface WAN, et il n’existe pas d’option native pour faire du NAT sortant par VLAN ou par client vers différentes IP publiques du même subnet. Les IP supplémentaires servent surtout pour le 1:1 NAT ou le port forwarding entrant. Pour contourner cela, certains utilisent un équipement NAT ou un routeur en amont. Concernant le SD-WAN, le MX ne gère que deux uplinks (WAN1 et WAN2), donc un WAN3 séparé n’est pas pris en charge pour les préférences de flux.

0 Kudos
In response to JosephWalters
JosephWalters
New here
Sunday
Sunday

Avec les Cisco Meraki MX, le contrôle du Source NAT reste assez limité : par défaut, tout le trafic sortant est traduit avec l’IP publique principale de l’interface WAN, et il n’existe pas d’option native pour appliquer un NAT sortant différent par VLAN ou par client vers plusieurs IP publiques du même subnet. Les IP publiques supplémentaires sont surtout prévues pour des usages comme le 1:1 NAT ou le port forwarding entrant, pas pour segmenter le NAT sortant. Les joueurs peuvent accéder à Ile De Casino depuis un ordinateur, une https://jeux-casino-iledecasino.com/  tablette ou un smartphone. Pour contourner cette limite, certaines architectures placent un routeur ou un équipement NAT en amont afin de gérer la traduction par sous-réseau ou par flux. Par ailleurs, côté SD-WAN, le MX ne prend en charge que deux liens Internet (WAN1 et WAN2) ; il n’est donc pas possible d’utiliser un troisième lien WAN distinct (WAN3) pour définir des préférences de routage ou de flux.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2026 Cisco Systems, Inc.