Meraki

Community

MX Warm Spare VPN

Adam
Kind of a big deal
‎Dec 5 2017 10:52 AM
‎Dec 5 2017 10:52 AM

MX Warm Spare VPN

Seems I have a lot of questions today.  Here is an explanation of one of my setups.

 

I have a pair of MX100 at one of our sites.  We have two internet services at that site.  Verizon and Comcast.  The MX100's are setup as active/passive.  Warm spare mode.  Both devices internet ports go to the Verizon modem.  Both devices port 2 (WAN2) go to the Comcast modem.  Here is an example of what that looks like with example LAN IP's given by the respective modems. 

 

MX100 Primary

  Internet port 10.157.2.50  //Verizon

  Port 2 10.1.10.50  //Comcast

MX100 Spare

  Internet port 10.157.2.51  //Verizon

  Port 2 10.1.10.51  //Comcast

 

Support suggested that the best practice would be to setup a Virtual IP (VIP) for the pair to avoid having flow issues upstream at the modems.  So I setup those like this as an example. 

 

10.157.2.10

10.1.10.10

 

The question I have is if I need to create a 1:1 NAT on the modems from the WAN IP to the above virtual IP's or if I rely on the modem being VPN friendly and creating the dynamic NATs.  Sorry if I've used some incorrect terminology along the way but I'd be happy to clarify if any questions arise. 

 

My goal is to have the Non Meraki VPN peers that I connect to, to only have two public IPs from which my devices would establish tunnels from.  The Verizon and the Comcast public IPs.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 5 2017 10:59 AM
‎Dec 5 2017 10:59 AM

I don't believe you can build a non-Meraki VPN to the virtual IP address.  I believe it can only be done to the actual IP address assigned to the interface IP on the MX.

0 Kudos
In response to PhilipDAth
Adam
Kind of a big deal
‎Dec 5 2017 1:48 PM
‎Dec 5 2017 1:48 PM

Here is the explanation from the documentation.  Meraki explained that basically the two MX's share the IP for communicating to the upstream Modem so they don't both try to communicate at the same time.  Also speeds up failover.  

 

Virtual IP addresses (VIPs) are shared by both the primary and warm spare appliance. Inbound and outbound traffic uses this address to maintain the same IP address during a failover and reduce disruption. The virtual IPs are configured on the Security Appliance > Monitor > Appliance status page, under the Warm Spare section in the upper-left corner of the page. If two uplinks are configured, a VIP can be configured for each uplink. Each VIP must be in the same subnet as the IP addresses of both appliances for the uplink it is configured for, and it must be unique. In particular, it cannot be the same as either the primary or warm spare's IP address.

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
In response to PhilipDAth
MRCUR
Kind of a big deal
‎Dec 5 2017 2:01 PM
‎Dec 5 2017 2:01 PM

@PhilipDAth I have a non-Meraki (ASA) peer going to the VIP without a problem. Works just fine in a failover scenario too. 

MRCUR | CMNO #12
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.