Meraki

Community

Meraki MX Failover with VIP - when ISP provided /32 network as default route with /28 routed prefix

DANSTEE
Conversationalist
‎Aug 22 2023 1:22 AM
‎Aug 22 2023 1:22 AM

Meraki MX Failover with VIP - when ISP provided /32 network as default route with /28 routed prefix

My ISP has allocated me a /32 IP address along with a /28 routed prefix.

If I understand correctly, the Meraki MX HA VIP requires the VIP and MX WAN interfaces to reside on the same subnet?

I cannot use the primary /32 IP address from my ISP, as it contains only 1 IP.

If I use the /28, I can allocate enough IP addresses, but not sure how the ISP will route the traffic, as it will be routed to the /32 ?

I am sure I am missing something really simple here, but can someone give me some pointers please? Thank you!

0 Kudos
5 Replies 5
alemabrahao
Kind of a big deal
‎Aug 22 2023 4:59 AM
‎Aug 22 2023 4:59 AM

You need at least 2 IPs (one for each WAN) and 3 if you are considering using Virtual IP.

Requirements and Best Practices 

When configuring routed HA, it is critical that both MXs have a reliable connection to each other on the LAN, so the heartbeats of the primary MX can be seen reliably by the spare. To ensure this connection is reliable:

  • The two MXs should be connected to each other through a downstream switch (or ideally, multiple switches) on the LAN to allow for passing VRRP heartbeats.
    • There should be no more than one additional hop between them, and they must be able to communicate on all VLANs.
    • Make sure STP is enabled on the downstream switching infrastructure, as a properly-configured HA topology will introduce a loop on the network.
  • When first configuring routed HA, the spare should be added and configured in the dashboard before the device is physically deployed, so it will immediately fetch its configuration and behave appropriately.

Additionally, the following other considerations should be kept in mind:

  • If a virtual IP is being used, each uplink of the two MXs must share the same broadcast domain on the WAN side.

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
DANSTEE
Conversationalist
‎Aug 22 2023 5:08 AM
‎Aug 22 2023 5:08 AM

Yes that is exactly what I understood.

So my original question still remains. With that understanding - how am I best to configure the uplink to my ISP, given that I have been provided with a single IP on /32 and a small range of IP's on /28

Do I create a VLAN on an 8-port switch in front of the MX's - allocate the /32 to the VLAN address and then configure /28 addresses to each MX?

I am looking for best practice in this scenario

0 Kudos
In response to DANSTEE
alemabrahao
Kind of a big deal
‎Aug 22 2023 5:12 AM
‎Aug 22 2023 5:12 AM

Sorry buddy, but you're not making yourself understood.
 
But if you are asking if you can use a private IP for the WAN interfaces so that each MX uses a single public IP the answer is yes, it is not desirable but it is possible.
 
I recommend that you read the documentation very carefully.

 

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to DANSTEE
KarstenI
Kind of a big deal
Kind of a big deal
‎Aug 22 2023 7:23 AM
‎Aug 22 2023 7:23 AM

You meed a router in front of the MX for this to work. A pure L2-switch is not enough, although a Layer3 switch would be fine.

The WAN interface of the router gets the /32, the LAN interface is configured with an IP from the /28.

Be aware that this again introduces a Single point of failure.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 22 2023 2:12 PM
‎Aug 22 2023 2:12 PM

Tell your ISP you can not use a /32.  You need a minimum of a /29.

 

Ideally, have them present the /28 directly and life will be simple.

 

Note it is not compulsory to use a VIP.

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.