Hello,
One of our customers use Cisco MX250 devices and they are interested in setting up redundancy with our infrastructure hosted in AWS. I have been tasked to set it up, unfortunately, neither do I have proper understanding of Cisco Meraki MX250 configuration and setup, nor do I have in-depth knowledge to setup Redundant VPNs at AWS side.
I have tried to setup a demo environment at our corporate end and AWS using BGP. Our Corporate is using ForcePoint and I setup as per: https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-redundant-connection.html
It was successful and I tested it when one corporate network is down, the other one handles the traffic. This is all good. However, when I checked with AWS on Cisco Meraki, they didnt have much exposure on that front and while checking internet, I couldnt really land in any blog or docs which specifies what needs to be done. I presumed Cisco Meraki MX250 would follow the same sort of stuff, but apparently I am wrong. When I informed our customer about BGP, they came back on the necessity and I quote them:
"We're using MX250 with two WAN ports configured, WAN 1 for X.X.X.X and WAN 2 for Y.Y.Y.Y. WAN 1 is the primary line and configured <Company> site to site VPN. Failover to WAN 2 happens automatically when WAN 1 is down and vice versa.
Do we still need BGP since we're using only one router?"
I was hoping if anyone can give me some insight on how do I setup HA Redundant VPN with Cisco Meraki MX250 and AWS? I would have reached out to Cisco Support, but we dont use any Cisco services to leverage that.
At this moment, I am in total darkness 😞
Any help would be much appreciated...
Regards,
Solved! Go to solution.
It's quite a bit of work. You want to get your customer to buy a pair of Meraki VMX appliances (it needs to be in their Meraki Org) and then get you to deploy them in your AWS.
https://meraki.cisco.com/product/security-sd-wan/virtual-appliances/vmx100/
Then you can follow my guide to configure them for HA.
https://www.ifm.net.nz/cookbooks/meraki-ha-vmx-amazon-aws.html
Otherwise if you are using VPN infrastructure that supports a backup pair (so not Amazon AWS VPN) then you could use tag-based failover.
https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover
It's quite a bit of work. You want to get your customer to buy a pair of Meraki VMX appliances (it needs to be in their Meraki Org) and then get you to deploy them in your AWS.
https://meraki.cisco.com/product/security-sd-wan/virtual-appliances/vmx100/
Then you can follow my guide to configure them for HA.
https://www.ifm.net.nz/cookbooks/meraki-ha-vmx-amazon-aws.html
Otherwise if you are using VPN infrastructure that supports a backup pair (so not Amazon AWS VPN) then you could use tag-based failover.
https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover
Thank you Philip for sharing the solution. Is there an updated link for the URL: https://meraki.cisco.com/product/security-sd-wan/virtual-appliances/vmx100/ ?
As of 03/04/2021, the link is no longer available.
The VMX was available in only one size. That has been replaced with three different sizes, small, medium and large.
https://meraki.cisco.com/product/security-sd-wan/virtual-appliances/vmx-small/
Just checking in for 2021. I know there were some improvements in BGP over the past year. Are we able to use properly and fully use MX100 HA pair with dual WAN and IPSec VPN to AWS with BGP failover yet? Or is a much more expensive vMX dual pair in AWS still required?
>MX100 HA pair with dual WAN and IPSec VPN to AWS with BGP failover yet?
There are no changes in this area.
>Or is a much more expensive vMX dual pair in AWS still required?
There are now multiple sizes of VMX. You can use a much smaller (and cheaper) VMX-S now.
https://meraki.cisco.com/product/security-sd-wan/virtual-appliances/vmx-small/