Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Meraki MX Firewall HA - with 2 ISPs and /30 Public IPs

Solved
iliyaz
Conversationalist
yesterday
yesterday

Meraki MX Firewall HA - with 2 ISPs and /30 Public IPs

HI Team,

 

I have configured MX 84 HA setup exactly as per the below diagram, and I am able to get Internet from switches on both the WAN ports in MX1, but the MX2 SPARE is showing as "Unreachable" and HA link is showing GREEN on both.

 

Device - 2 MX 84 and 2 MS MS250-48LP

 

Below are the Public IPs I got from both of my ISPs

ISP 1 - 49.xx.1.104/30

49.xx.1.105 - PE and 49.xx.1.106 - CE

49.xx.8.168/29 - Lan Public IP's


ISP 2 - 182.yy.80.104/30

182.yy.8.105 - PE and 182.yy.8.106 - CE

182.yy.3.104/29 - Lan Public IP's

 

Configuration on MX1 WAN Ports:

On MX1 WAN Port 1 - I have configured /30 of ISP 1

On MX1 WAN Port 2 - I have configured /30 of ISP 2

 

The Internet on both WAN Ports of MX1 is fine, but Spare is showing Unreachable.

 

HA Config Model of other Vendor:

For any Vendor models , we just configure WAN link with /30 ips on ACTIVE Device and this same configuration will be replicated to Passive DEVICE. In terms of failure the Passive device gets ACTIVE Device configuration and will be UP and running. 

Not sure how the Meraki HA works?

 

Team, can some one pls help out here??

Meraki-HA-Setup.png

 

0 Kudos
Subscribe
1 Accepted Solution
In response to KarstenI
iliyaz
Conversationalist
37m ago
37m ago

Thank you very much @KarstenI. For addressing all my queries in a single answer.

Option 1: Is the easiest, but hv to do some paper work with ISPs.

 

Option 2: Also looks good. Can you pls guide me in achieving it::

 

Step 1: Create a L3 interface on the MS250 MS-1 Switch and connect the ISP1 interface and configure /30 Public WAN IP and same for MS-2 MS250 switch L3 interface for ISP2.


Step 2: Create a SVI in MS1 and have L3 connection to both the MX1 and MX2

e.g - MS1 :

Vlan 710
ip address 49.xx.8.169/29 -- GW

MX 1 - 49.xx.8.170/29 - WAN 1

MX 2 - 49.xx.8.171/29 - WAN 1


MS2 :

Vlan 711
ip address 182.yy.3.105/29 -- GW

MX 1 - 182.yy.3.106/29 - WAN 2

MX 2 - 4182.yy.3.107/29 - WAN 2


After that what should be done for establishing Internet connection??

 

 

View solution in original post

0 Kudos
Subscribe
4 Replies 4
KarstenI
Kind of a big deal
Kind of a big deal
6 hours ago
6 hours ago

The Meraki MX works differently than you expect. Both devices need a constant connection to the dashboard. With the /30, you are pretty limited here. 

What can you do:

  1. Get/29 subnets from your ISP. This is the best option.
  2. Connect the first ISP to MX1 and the second ISP to MX2. In this setup, the active firewall will always use only one ISP: ISP1 while MX1 is active and ISP2 while MX2 is active.
  3. Place a NAT router in front of the MXes. With a private subnet between the router and the MXes, both can communicate to the dashboard at the same time.

 

EDIT: I didn't see that you have /29s on the LAN side. If option 1 with a /29 transfer is not possible, then option 2 is even easier. Instead of a NAT router you can take two small L3 switches and work without NAT. On this L3-Switch, the /30 goes to the ISP, the /29 goes to the MXes.

 

Some more information on the different options:

https://cyber-fi.net/index.php/2024/02/19/connecting-your-meraki-mx-to-the-internet/

 

Subscribe
In response to KarstenI
iliyaz
Conversationalist
37m ago
37m ago

Thank you very much @KarstenI. For addressing all my queries in a single answer.

Option 1: Is the easiest, but hv to do some paper work with ISPs.

 

Option 2: Also looks good. Can you pls guide me in achieving it::

 

Step 1: Create a L3 interface on the MS250 MS-1 Switch and connect the ISP1 interface and configure /30 Public WAN IP and same for MS-2 MS250 switch L3 interface for ISP2.


Step 2: Create a SVI in MS1 and have L3 connection to both the MX1 and MX2

e.g - MS1 :

Vlan 710
ip address 49.xx.8.169/29 -- GW

MX 1 - 49.xx.8.170/29 - WAN 1

MX 2 - 49.xx.8.171/29 - WAN 1


MS2 :

Vlan 711
ip address 182.yy.3.105/29 -- GW

MX 1 - 182.yy.3.106/29 - WAN 2

MX 2 - 4182.yy.3.107/29 - WAN 2


After that what should be done for establishing Internet connection??

 

 

0 Kudos
Subscribe
jasonbrown23
Here to help
5 hours ago
5 hours ago

yeah getting a /29 on the wan Easiest. but since you have /29 for the Lan IP, you can have your /30s terminate on each DMZ switch / edge switch. Then route your /29 behind that so DMZ will have 1 ip from the /30 and one ip from the /29. your 2 firewalls will use the DMZ /29 as there default gateway and each firewall will get a ip from the /29 and use one for the VIP if you want to use that.
Subscribe
iliyaz
Conversationalist
35m ago
35m ago

Thanks @jasonbrown23 for the quick reply. Will try to implement as suggested, but instead of DMZ switch, can i use to MS250-48 LP switch?


Also any cons on using Internet links on DMZ switch and /29's on the MX's??

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.