Meraki

Community

MX behind firewall and switch stack

ksumann
Getting noticed
‎Mar 19 2024 3:01 AM
‎Mar 19 2024 3:01 AM

MX behind firewall and switch stack

Hello everyone

 

our current setup looks like this:

FW -- Switch -- MX as Hub

 

Now we want to create a switch stack to keep everything up in case of a switch failure.

Additionally we have set manual NAT traversal for the MX.

Plan was to connect one WAN Port to one Switch of the stack.

 

So how can we achieve this?

- Its not possible to define an alternate NAT traversal port so we cannot define a second port forwarding (to the IP of WAN2) on the firewall

- Its not possible to share the same IP between WAN1 and WAN2

- Manually setting the same IP to WAN1 and WAN2, both connected to the stack, will give ip address conflict (obviously)

- Its not possible to use LACP with WAN1 and WAN2

0 Kudos
6 Replies 6
KarstenI
Kind of a big deal
Kind of a big deal
‎Mar 19 2024 3:26 AM
‎Mar 19 2024 3:26 AM

One concentrator on stack-member 1, one concentrator on stack member 2. Both MX running in warm spare mode.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
alemabrahao
Kind of a big deal
‎Mar 19 2024 5:45 AM
‎Mar 19 2024 5:45 AM

Refer the documentation.

 

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
ksumann
Getting noticed
‎Mar 19 2024 7:17 AM
‎Mar 19 2024 7:17 AM

So there is no way with only one MX?

[I agree that this is still a single point of failure]

0 Kudos
In response to ksumann
KarstenI
Kind of a big deal
Kind of a big deal
‎Mar 19 2024 7:38 AM
‎Mar 19 2024 7:38 AM

No:

Interface Configuration

The MX WAN appliance being configured as a one-armed VPN concentrator should be connected to the upstream datacenter infrastructure using its Internet port, or using the Internet 1 port on devices models with two Internet uplink ports.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
ksumann
Getting noticed
‎Apr 2 2024 3:44 AM
‎Apr 2 2024 3:44 AM

I forgot to mention that it is configured in routed mode.

The idea was, if the primary switch fails, WAN1 would fail and thus going over WAN2 and Switch 2.

I guess it would work if there were no Port forwarding rule needed.

0 Kudos
In response to ksumann
KarstenI
Kind of a big deal
Kind of a big deal
‎Apr 2 2024 3:59 AM
‎Apr 2 2024 3:59 AM

This information is not that unimportant ...

There is also only one ISP on the firewall?

On the MX, you could use the same IP on both WANs, but it doesn't help as the firewall needs to differentiate both WAN ports. If you set them to different IPs, I would assume that it would work if the ISP firewall doesn't mess up the NAT. But that could be solved with two dedicated 1:1 translations on the firewall. 

Still, if a customer approached me with this design, I would think they wanted to kid me.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.