MX250 High Availability and redundancy with AWS

Solved
ghosham
New here

MX250 High Availability and redundancy with AWS

Hello,

 

One of our customers use Cisco MX250 devices and they are interested in setting up redundancy with our infrastructure hosted in AWS. I have been tasked to set it up, unfortunately, neither do I have proper understanding of Cisco Meraki MX250 configuration and setup, nor do I have in-depth knowledge to setup Redundant VPNs at AWS side.

I have tried to setup a demo environment at our corporate end and AWS using BGP. Our Corporate is using ForcePoint and I setup as per: https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-redundant-connection.html

From AWSFrom AWS

It was successful and I tested it when one corporate network is down, the other one handles the traffic. This is all good. However, when I checked with AWS on Cisco Meraki, they didnt have much exposure on that front and while checking internet, I couldnt really land in any blog or docs which specifies what needs to be done. I presumed Cisco Meraki MX250 would follow the same sort of stuff, but apparently I am wrong. When I informed our customer about BGP, they came back on the necessity and I quote them:

 

"We're using MX250 with two WAN ports configured, WAN 1 for X.X.X.X and WAN 2 for Y.Y.Y.Y.  WAN 1 is the primary line and configured <Company> site to site VPN.  Failover to WAN 2 happens automatically when WAN 1 is down and vice versa.  

Do we still need BGP since we're using only one router?"

 

I was hoping if anyone can give me some insight on how do I setup HA Redundant VPN with Cisco Meraki MX250 and AWS? I would have reached out to Cisco Support, but we dont use any Cisco services to leverage that.

At this moment, I am in total darkness 😞

Any help would be much appreciated...

 

Regards,

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

It's quite a bit of work.  You want to get your customer to buy a pair of Meraki VMX appliances (it needs to be in their Meraki Org) and then get you to deploy them in your AWS.

https://meraki.cisco.com/product/security-sd-wan/virtual-appliances/vmx100/ 

 

Then you can follow my guide to configure them for HA.

https://www.ifm.net.nz/cookbooks/meraki-ha-vmx-amazon-aws.html 

 

 

 

Otherwise if you are using VPN infrastructure that supports a backup pair (so not Amazon AWS VPN) then you could use tag-based failover.

https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover 

View solution in original post

5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal

It's quite a bit of work.  You want to get your customer to buy a pair of Meraki VMX appliances (it needs to be in their Meraki Org) and then get you to deploy them in your AWS.

https://meraki.cisco.com/product/security-sd-wan/virtual-appliances/vmx100/ 

 

Then you can follow my guide to configure them for HA.

https://www.ifm.net.nz/cookbooks/meraki-ha-vmx-amazon-aws.html 

 

 

 

Otherwise if you are using VPN infrastructure that supports a backup pair (so not Amazon AWS VPN) then you could use tag-based failover.

https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover 

Louis
Here to help

Thank you Philip for sharing the solution. Is there an updated link for the URL: https://meraki.cisco.com/product/security-sd-wan/virtual-appliances/vmx100/ ?

As of 03/04/2021, the link is no longer available.

 

PhilipDAth
Kind of a big deal
Kind of a big deal

The VMX was available in only one size.  That has been replaced with three different sizes, small, medium and large.

 

https://meraki.cisco.com/product/security-sd-wan/virtual-appliances/vmx-small/ 

mattychix
Conversationalist

Just checking in for 2021. I know there were some improvements in BGP over the past year. Are we able to use properly and fully use MX100 HA pair with dual WAN and IPSec VPN to AWS with BGP failover yet? Or is a much more expensive vMX dual pair in AWS still required?

PhilipDAth
Kind of a big deal
Kind of a big deal

>MX100 HA pair with dual WAN and IPSec VPN to AWS with BGP failover yet?

 

There are no changes in this area.

 

>Or is a much more expensive vMX dual pair in AWS still required?

 

There are now multiple sizes of VMX.  You can use a much smaller (and cheaper) VMX-S now.

https://meraki.cisco.com/product/security-sd-wan/virtual-appliances/vmx-small/ 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels