Meraki MX84 warmspare WAN IP Issuses

amalmichaelvj
Comes here often

Meraki MX84 warmspare WAN IP Issuses

I am confused in Cisco Meraki MX84 warm spare.

i need Fully Hardware failover.

i have 2 service provider.

Both my service provider gave me only single WAN ip.

In this case can i configure Warmspare with HA???

 

Looking through the document what i can find is i need to provide a shared ip from WAN 1 and WAN 2??

Please update??

10 REPLIES 10
cmr
Kind of a big deal
Kind of a big deal

You can, but you will need to NAT your service provider before you get to the MX WAN interface.

 

i.e.   ISP ->  NAT device  -> MX WAN ports

 

You need a minimum of 2x WAN IPs on at least the primary WAN interface and it works better with 3 (one virtual one) in the event of a failover.

Hello cmr,

Thanks for reply.
What you meant by NAT.i need to add any additional appliance which support NAT before get to MX.
or i have any option in MX itself.

Adding new appliance practically not possible.
Please reply.
cmr
Kind of a big deal
Kind of a big deal

Unfortunately it is an additional appliance that you would need in front of the MX.  Is there no way either of the providers can give you more than one usable IP?

So customer provider need to provide 3 public ip.

1 actual IP address.And 2 ip address as VIP in MX 84??

cmr
Kind of a big deal
Kind of a big deal

Ideally the provider gives you a /29 that has 6 usable addresses:

 

1 for the provider's termination equipment

1 for the primary MX WAN port

1 for the warm spare MX WAN port

1 for the virtual WAN IP

 

leaving 2 spare.

Hello cmr,

 

thanks for the details.

Much more details got cleared.

 

In Use virtual uplink IPs Scenario:::

In our scenario Service Provider1 WAN IP,1 LAN IP Pool(/29 Subnet). So for Provider1 i have 3 IP address free.

But from provider2 i have only 1 single Public IP. 

So each Service provider at least 3 public IP to complete Warm Spare.??

 

In Use MX uplink IPs scenario:::

For Each service provider

1 ip for MX WAN port

1 ip for warm spare MX WAN Port.

 

 

 

 

 

cmr
Kind of a big deal
Kind of a big deal

I think you need 3 on both to use the virtual IP option as the GUI needs you to enter the third IP for both WAN connections.  I also think you can go with the Use MX uplink IPs where you only have two IPs on the primary provider, as long as you only connect the primary provider to the warm spare MX.

 

I haven't actually done this second option but I think @PhilipDAth should be able to confirm or correct me.

We've setup the active/passive MX84 with 3 public IP addresses on WAN1 (public VIP + each MX 1 public IP).

Now we would like to add another ISP and configure WAN2 in the same way.

So 3 public IP addresses on WAN2.

 

Would that do the trick as a redundancy for the ISPs ?

 

PS: the appliances are connected with ISP via a L2 switch, so we actually only have one uplink to the ISP.

 

As we also have client VPN setup, we would like to use the Dynamic DNS so it would move automatic to other public IP in case of issues.

For the site-to-site non-meraki VPN's, we would setup a second VPN to Azure (for example).

 

Anyone any doubts ?

Setup supposed to be just add the Public IP addresses on WAN2 and connect it ?

  • WAN2
  • Static IP
  • add DNS

I don't see where to say WAN1 is the preferred interface, but I didn't actaully configure the interface yet as I don't have the IP range from second ISP yet.

 

cmr
Kind of a big deal
Kind of a big deal

@Fuji-Didi-74using a L2 switch to split the ISP connection is exactly what we do at all sites, this is perfectly normal practice.  Adding the second ISP really is as simple as you say, add static IP to each MX then add virtual IP (all in the same subnet).

 

We don't use the Meraki client VPN, but using dynamic DNS as suggested might well work.

 

By default WAN 1 is primary, but you can change that and setup load balancing on the Security & SD-WAN / SD-WAN & traffic shaping page as below:

 

cmr_0-1581432348144.png

 

Set WAN bandwidths at 1

Choose primary uplink and whether to load-balance at 2

Create exceptions to above rules at 3

 

The above is based on the 15.x firmware, I don't know if 14.x is different as we have always used 15.x

Nash
Kind of a big deal


@cmr wrote:

 

We don't use the Meraki client VPN, but using dynamic DNS as suggested might well work.

 

My recommendation is to use the dynamic DNS always for the client VPN. If you want to be fancy, make a CNAME record to something less painful to type. We've done the CNAME thing at several clients to make our lives easier.

 

We also do the "device in front of MX pair to split the ISP connection, 3 IPs per ISP" thing. For one client, there are two devices in front: a switch for ISP #1, as they give us a single port; and ISP #2's Juniper router, as they'll configure multiple ports.

 

I wouldn't mind running it all through one switch with one VLAN per ISP, but we did not have enough ports after a server move. 8pt switches can be a bit tight.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels