MX with warm spare, Dual WAN with VIP /29 Subnet

RC352
Conversationalist

MX with warm spare, Dual WAN with VIP /29 Subnet

Looking for some info, I have sites with redundant MX105/250s. I'm updating these sites to support statics with VIPs using a /29 subnet. The question that I have, when I go in to configure the VIP, it's asking me for both WAN1 and WAN2. Q:I want to do each WAN interface separately. Reason: I don't wan't to assign VIPs to both interfaces just in case there is a problem after they reboot. Q:Can I configure, for example WAN2 with a VIP keeping WAN1 with the interface statics. After the VIP for WAN2 is successful, move WAN2 as primary and perform the same task on the other WAN interface. I don't have anyone on site to access the devices locally. Any suggestions /recommendations would be appreciated

8 Replies 8
GIdenJoe
Kind of a big deal
Kind of a big deal

You don't have a choice.  If you use 2 WAN interfaces you need to have both of them on physical or vIP.
Usually if your second provider uses NAT behind it's routers you can use a vIP there too like a 192.168.0.10 for example.

RC352
Conversationalist

Thanks Joe, I was afraid of this. If I wan't to use VIPs, I have a probability of the site going off line when converting. IF THE VIPs were incorrectly configured

MartinLL
Building a reputation

Your MX will still communicate with meraki cloud through the physical IP configured on your MX. Outbound internet for clients and SD-WAN/VPN uses the VIP.

 

Also, if your MX cant reach the maraki cloud after a config change it will reboot and return to the last known safe config after a while.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Behavior_during_Conne... 

 

But if you want to shorten the possible downtime it is always smart to have a resource onsite.

MLL
RC352
Conversationalist

Thanks Martin, so the MX will act like a static/DHCP, if the static doesn't work and your modem supports DHCP. it fail fail back, cool

 

Thanks

GIdenJoe
Kind of a big deal
Kind of a big deal

Having a vIP is the better option since it smoothes out a failover between primary and spare and allows for port forwards to remain on the same IP.  However it is not a requirement.  In my opinion it is better to have a vIP that is private and NAT'ed than to have physical IP's and not NAT'ed.

RC352
Conversationalist

Thanks for the response!!! My issue is with IF I USE a 3rd party VPN like iBoss, That needs a public IP

PhilipDAth
Kind of a big deal
Kind of a big deal

Or use the Cisco offering - Cisco Secure Connect.

https://documentation.meraki.com/CiscoPlusSecureConnect

 

It has proper native integration with Meraki.  No VIPs required.

PhilipDAth
Kind of a big deal
Kind of a big deal

>Reason: I don't wan't to assign VIPs to both interfaces just in case there is a problem after they reboot

 

Don't reboot the MXs, simply assign the VIPs.  If the MXs go offline they will revert the config change automatically.

Get notified when there are additional replies to this discussion.