Meraki

Community

MX warm spare - /29 WAN subnets

Solved
manzies
Here to help
a month ago
a month ago

MX warm spare - /29 WAN subnets

hi

 

 

In a topology like below, when deploying MX's in a warm spare setup, if each ISP is handing off a /29, is there any reason not to go with using a VIP on WAN1 & WAN2?

 

And if going with a VIP, I'm not how many VPNs get configured on the other end....

 

The VPNs are non Meraki, lets say peer VPN 1 peer IP is on 100.1.1.1 and VPN 2 is 200.2.2.2. VPN1 always comes in via ISP1 and VPN 2 via ISP2

 

VPN 1 if up is always the primary from both ends perspective

 

Does the other end of the VPN just need to peer with the respective VIP on the MX? so for example if 100.1.1.1 was working fine, but the MX had failed over, VPN 1 would stay up by targeting the VIP?

 

manzies_0-1754518200355.png

 

 

thanks

Labels:
0 Kudos
1 Accepted Solution
Mloraditch
Kind of a big deal
Kind of a big deal
a month ago
a month ago

Yes the VIPs are mostly used for 3rd party VPNs so they can failover without having multiple peers assigned and so that your default traffic's source IP out to the internet doesn't change during failover.

Your scenario is precisely the use case. The 3rd parties will peer with your VIP and in the event of hardware outage failover to the secondary unit without any extra configuration needed.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

4 Replies 4
Mloraditch
Kind of a big deal
Kind of a big deal
a month ago
a month ago

Yes the VIPs are mostly used for 3rd party VPNs so they can failover without having multiple peers assigned and so that your default traffic's source IP out to the internet doesn't change during failover.

Your scenario is precisely the use case. The 3rd parties will peer with your VIP and in the event of hardware outage failover to the secondary unit without any extra configuration needed.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal
4 weeks ago
4 weeks ago

I hardly ever use a VIP.  You need to use a VIP if you are using non-Meraki IPSec VPNs.

 

If you don't use a VIP and a fault occurs where both MXs become master, most things continue to work.

manzies
Here to help
3 weeks ago
3 weeks ago

thanks both

0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

And I ALWAYS use a vIP.  This is the best solution since you always have the same outbound IP.

Of course you can use different IP's in the same subnet for 1:1 and 1:many inbound NAT connections however the Secure client VPN and non-meraki VPN are always terminated on the either the vIP if you use it or the physical IP of the active forwarding MX if you don't use vIP.

This means your IP changes in a failover causing either a temporary delay if you use the meraki dynamic DNS hostname or a permanent stop of function if you use a fixed IP.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.