MX100 Warm Spare with Non-Meraki Site to Site VPNs

Solved
rocktreesign
Here to help

MX100 Warm Spare with Non-Meraki Site to Site VPNs

Hi All,

 

I'm trying to get a VPN topology to be resilient.  I (will) have 2 x MX100s in Warm Spare mode using Virtual IP on WAN side.  I have currently got a couple of Non-meraki VPNs; one to Azure and one to AWS.  I need to make these as resilient as possible.

 

1) Single VPNs to each end point query and which IP on Meraki to use.

 

The VPNs are currently working ok terminated on the real WAN IP of the current single MX100.  When I switch over to Warm Spare mode and insert the second MX100 into the topology, would I reconfigure the remote VPNs (Azure and AWS) to peer with the Virtual IP or would I leave it as the real IP?  (I have a /29 transit subnet).

 

2) AWS dual VPN. 

 

AWS always setup a second VPN peer as they randomly do maintenance on a single peer so I'm supposed to configure this for resilience apparently.  Is this possible?  I'm reading that it is not and I'm hoping the firmware has developed to the point where it is now possible. Has anyone done it?  If not, are there any workarounds?

 

3) Dual WANs on Warm Spare

 

I also have another Internet connection on WAN2 from a different provider so has a different /29 hand-off.  Can I use this to enhance resilience in either of the above scenarios?  Getting resilience from a single Internet pipe failure would be brilliant without having to reconfigure peers.

 

Thanks in advance.

RTS

1 Accepted Solution
PaulMcG
Getting noticed

Options for redudancy for non-Meraki VPN is limited. 

 

For point 1, you need to use the VIP, doesn't seem to be much in the documentation on the subject but the VPN might not even come up if a VIP is configured but you use the WAN IP of the primary MX.

 

Point 2, I don't think this is possible, but I could be wrong.

 

Point 3, dual WANs only work for VPN resilience in an auto VPN setup.  Does nothing in a non-Meraki VPN situation.

 

The only way to get the best resilience in a DC with Meraki is with either a vMX or physical MX(HA) setup at the DC.

View solution in original post

2 Replies 2
PaulMcG
Getting noticed

Options for redudancy for non-Meraki VPN is limited. 

 

For point 1, you need to use the VIP, doesn't seem to be much in the documentation on the subject but the VPN might not even come up if a VIP is configured but you use the WAN IP of the primary MX.

 

Point 2, I don't think this is possible, but I could be wrong.

 

Point 3, dual WANs only work for VPN resilience in an auto VPN setup.  Does nothing in a non-Meraki VPN situation.

 

The only way to get the best resilience in a DC with Meraki is with either a vMX or physical MX(HA) setup at the DC.

PhilipDAth
Kind of a big deal
Kind of a big deal

(1) - As @PaulMcG stated, you will have to use the VIP address.

 

For (2) and (3), and you can only get an increase in resilience here by also using a pair of VMX in AWS and Azure so you can use SDWAN.

 

I've created a guide on how I do this for AWS.

https://www.ifm.net.nz/cookbooks/meraki-ha-vmx-amazon-aws.html 

 

Here is a guide for doing it in Azure.

https://documentation.meraki.com/MX/Other_Topics/Deploying_Highly_Available_vMX_in_Azure 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels