Meraki

Community

MX75 HA/Failover Configuration and Licensing

Solved
Dankowski
Conversationalist
7 hours ago
7 hours ago

MX75 HA/Failover Configuration and Licensing

My company is considering purchasing the Meraki MX75, and we would like to configure the firewalls to operate in HA/Failover mode. Based on the documentation I found, it appears that a Virtual IP address is required for this setup. However, we only have a single public IP address available. Is it possible to configure the firewalls in Active/Passive mode while using just one public IP address?

Additionally, I have a question regarding licensing. From my understanding, in HA/Failover mode, is only one license required for both devices?

Thanks in advance for your answers!

Labels:
0 Kudos
1 Accepted Solution
In response to Dankowski
jimmyt234
A model citizen
4 hours ago
4 hours ago

No - each device in the HA pair needs its own dedicated WAN IP. You can then optionally set up a VIP if you wanted too, from within the same subnet.

 

As @KarstenI says - standard setup would be a /29 with 2 uplink ports from the ISP, this allows you to plug both your WANs into their equipment.

View solution in original post

6 Replies 6
rwiesmann
Head in the Cloud
7 hours ago
7 hours ago

Yes, you only need one license in a HA Setup

Check out this post about licensing

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

 

 

0 Kudos
In response to rwiesmann
Dankowski
Conversationalist
6 hours ago
6 hours ago

Thank you for your response.

So, with MX uplink IPs, I can use a single public IP assigned to the Active MX. If the primary Active MX fails, the Passive MX will take over as the Active MX and assign the public IP to itself.

0 Kudos
In response to Dankowski
KarstenI
Kind of a big deal
Kind of a big deal
5 hours ago
5 hours ago

General rule: You need a /29 from your ISP to have the needed addresses for MX1, MX2, and optionally the virtual IP. If you only have one IP, you could place a NAT router in front of both MXes and use a private transfer network. But that is again a single point of failure.

https://cyber-fi.net/index.php/2024/02/19/connecting-your-meraki-mx-to-the-internet/

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to Dankowski
jimmyt234
A model citizen
4 hours ago
4 hours ago

No - each device in the HA pair needs its own dedicated WAN IP. You can then optionally set up a VIP if you wanted too, from within the same subnet.

 

As @KarstenI says - standard setup would be a /29 with 2 uplink ports from the ISP, this allows you to plug both your WANs into their equipment.

In response to jimmyt234
Dankowski
Conversationalist
4 hours ago
4 hours ago

Ok, I see now. Thank you for clarification!

MaghM
Meraki Employee
Meraki Employee
6 hours ago
6 hours ago

For WAN VIP addresses are shared by both the primary and warm spare appliance. Inbound and outbound traffic use this address to maintain the same IP address during a failover and reduce disruption. The virtual IPs are configured on the Security & SD-WAN > Monitor > Appliance status page, under the Spare section in the upper-left corner of the page. If two uplinks are configured, a VIP can be configured for each uplink. Each VIP must be in the same subnet as the IP addresses of both appliances for the uplink it is configured for, and it must be unique. In particular, it cannot be the same as either the primary or the warm spare's IP address.

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

 

Regarding the License, yes only one license is required for an HA pair. The warm spare unit does not require a separate license. 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.