Meraki MX84 warm spare with a single public IP address (DHCP) on WAN interface

SOLVED
Wong
Just browsing

Meraki MX84 warm spare with a single public IP address (DHCP) on WAN interface

Dear,

 

I going setup MX84 with warm spare, WAN 1 configure DHCP, assigned single external IP address from ISP. (my internet plan only one public IP provided by ISP.)

So I try setup warm spare but dashboard need connected both primary and spare MX84 at same time, How can use one public ip address on wan interface and build warm spare. Many Thanks.

1 ACCEPTED SOLUTION
MarcP
Kind of a big deal


@Wong wrote:

@ww Yes, ISP router direct connect to MX wan interface. no NAT deivce.


Your ISP Router can be your NAT device... (?)

View solution in original post

20 REPLIES 20
MarcP
Kind of a big deal

Fun fact, I´ll try this today, as I never tried warm spare before...

 

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

 

"Dashboard Configuration

To configure warm spare failover for an existing Dashboard network, navigate to the Security & SD-WAN > Monitor > Appliance status, and select Configure warm spare near the upper-left side of the page, below the device name. In the window that appears, select Enabled. Enter the serial number of the Secondary MX and select the desired Uplink IP configuration, then select Update to enable Warm Spare.

 

Use MX uplink IPs: When using this option, the current Active MX will use its distinct uplink IP or IPs when sending traffic out to the Internet. This option does not require additional public IPs for Internet-facing MXes, but also results in more disruptive failover because the source IP of outbound flows will change."

 

 

"Additionally, the following other considerations should be kept in mind:

  • Both MXs must share the same number of uplinks. That is, if the Primary MX has dual uplinks, then the Spare must have dual uplinks as well.
  • If a virtual IP is being used, then each uplink of the two MXs must share the same broadcast domain on the WAN side."

 

I am not sure if it works only with 1 public IP but shouldn´t know why, because a MX could be broken as well, without having a issue with the ISP.

Wong
Just browsing

Thank you for your reply, attached my final design. But now I can't setup warm space with dhcp (assigned 1x public IP address) wan interface. 

MX84 warm spare with 1 x public ip adddress.jpg

MarcP
Kind of a big deal

Maybe it really won´t work...

 

https://www.reddit.com/r/meraki/comments/8sxqgq/warm_spare_1_static_ip_mx84/

 

"Network Setup 

Each concentrator has its own IP address to exchange management traffic with the Meraki Cloud Controller. However, the concentrators also share a virtual IP address that is used for non-management communication."

 

But I´ll test today as well so we´ll see, if no other will reply first 😉

I think I´ll try it with "Use MX´s Uplink IP"

Mateen
Getting noticed

What does this mean ?
"If a virtual IP is being used, then each uplink of the two MXs must share the same broadcast domain on the WAN side."
AjitKumar
Head in the Cloud

Hi @Wong 

 

I believe this may not be possible.

One idea could be.

You may install  a "Router" between the ISP and MX84s and share the ISP with both MXes.

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network
MarcP
Kind of a big deal

Well, don´t know if I am doing something wrong, but seems to be working without any problems.

 

Test with 1 ISP (1 public IP) - Working

2019-08-26 14_03_22-Security Appliances - Meraki Dashboard.png

 

Test with 1 IP and disconnected on primary router, still working

2019-08-26 14_02_20-Security Appliances - Meraki Dashboard.png

 

Connected a second ISP, working the same as with 1...

 

2019-08-26 14_21_08-Security Appliances - Meraki Dashboard.png

 

 

Well... looks like it is working with only 1 ISP Router (1 public IP). VPN IP is reachable all the time. Only 1 ping is not going through the tunnel (when failing over) but keeps going working. NICE

 

Setup1

 

WarmSpare.png

 

############

 

Setup2 

 

 

WarmSpare.pngBoth were working 

jdsilva
Kind of a big deal

Hey Guys. You cannot set up Warm Spare with only a single IP. You need at a minimum two, or three if you are using a VIP. The reason for this is each MX needs its own IP to maintain a connection to the Meraki cloud, They cannot share one IP and have their own control session to the cloud.

MarcP
Kind of a big deal

@jdsilva Well, as shown in my previous post, it is working, with 1ISP and its single public IP 

can reach both devices behind it and it’s doing the failover as it should. All working fine.

set it up as VIP

 

all shown above, or did I do something wrong?

setup 1 was working as well.

Noted and thank you for your support.

Wong
Just browsing

Yes, ISP router directly connect to MX wan interface.

Lucas_T
Comes here often

Dear MarcP,

You done awesome setup. i have 1 ISP and 2 mx84 main and spare. can you share overall setup how is config? now my main FW working fine but i unable to setup one the spare FW. 

Thank you!

Happiman
Building a reputation

I had the same issue. You will have to have at least 3 usable IP addresses.

 

1 for each Meraki, and 1 for VIP. I ended up changing my /30 to /29 subnet.

 

MarcP
Kind of a big deal

Why would I need 3 when it’s all behind a Router which is in Nat mode?

All devices get their own internal IPs mx1, mx2 and VIP

ww
Kind of a big deal
Kind of a big deal


@MarcP wrote:

Why would I need 3 when it’s all behind a Router which is in Nat mode?

All devices get their own internal IPs mx1, mx2 and VIP


he has no nat router. is your first solution is using nat router or not? 

MarcP
Kind of a big deal

Ah ok I see... But didn't recognize he connects directly to the ISP

I assumed he uses an ISP router as well.

jdsilva
Kind of a big deal

@MarcP If I'm following right you've created an IP conflict on that network between two MX appliances. You can expect unstable, unpredicatable behavior. The ARP table on the gateway router will be constantly thrashing between the two MACs. 

 

Try connecting a client behind that and tell me how well they can browse the Internet. 

MarcP
Kind of a big deal


@jdsilva wrote:

@MarcP If I'm following right you've created an IP conflict on that network between two MX appliances. You can expect unstable, unpredicatable behavior. The ARP table on the gateway router will be constantly thrashing between the two MACs. 

 

Try connecting a client behind that and tell me how well they can browse the Internet. 


Tried that just now, and it was running very well...

Connected to the switch behind the WarmSpare and disconnected the primary MX / both MX´s and other options it was still always working, even after disconnecting both uplinks (beeing offline) and reconnect only the spare first and then primary.

 

Maybe something got changed on Meraki site.

My RDP session was always working fine, only for 1-2 seconds after disconnecting a cable it was struggeling.

Wong
Just browsing

@ww Yes, ISP router direct connect to MX wan interface. no NAT deivce.

MarcP
Kind of a big deal


@Wong wrote:

@ww Yes, ISP router direct connect to MX wan interface. no NAT deivce.


Your ISP Router can be your NAT device... (?)

jdsilva
Kind of a big deal


@MarcP wrote:

Why would I need 3 when it’s all behind a Router which is in Nat mode?

All devices get their own internal IPs mx1, mx2 and VIP


Sorry, maybe I'm not reading right. Yes, you can NAT a warm spare pair through a single IP, but the MX's themselves still need their own IP configured on their WAN interfaces.

 

Or put another way, you can't configure a single IP for wamr spare, but you can NAT a warm spare to a single IP.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels