Meraki

Community

Multiple MX's S2S VPN from the same Public IP

Solved
Brash
Kind of a big deal
Kind of a big deal
a month ago
a month ago

Multiple MX's S2S VPN from the same Public IP

I have an existing MX (MX-1) which is a spoke in a Site-To-Site VPN.

I need to bring up another MX (MX-2) in the same location. It is in a different organisation that will connect to a different Site-To-Site VPN.

 

For reasons beyond me, we've had massive issues getting the ISP to run an additional service to the site.

Therefore, I'm contemplating connecting MX-2 to the LAN side of MX-1 for them both to run off the single WAN link of MX-1.

This will be temporary of course.

 

Although from a networking point of view this should work, I'm wondering whether there will be issues having 2x MX's check in to the VPN registry (for different orgs) from the same public IP. 

 

Has anyone had any experience with this?

0 Kudos
1 Accepted Solution
RaphaelL
Kind of a big deal
Kind of a big deal
a month ago
a month ago

Hi ,


I have done it in the past in my lab with success. Is MX-1 running AutoVPN ? If so full tunnel ? I'm only worried about running AutoVPN in AutoVPN,  might be a MTU nightmare but this is temporary anyway

View solution in original post

4 Replies 4
RaphaelL
Kind of a big deal
Kind of a big deal
a month ago
a month ago

Hi ,


I have done it in the past in my lab with success. Is MX-1 running AutoVPN ? If so full tunnel ? I'm only worried about running AutoVPN in AutoVPN,  might be a MTU nightmare but this is temporary anyway

In response to RaphaelL
Brash
Kind of a big deal
Kind of a big deal
a month ago
a month ago

Good point.

No, thankfully it's a split tunnel so no AutoVPN within AutoVPN (a true nightmare indeed)

0 Kudos
Boomerang94
Meraki Employee
Meraki Employee
a month ago
a month ago

It is generally not a problem for two MX devices - set up for different organizations - to check in to the VPN registry from the same public IP address. Since the MX uses NAT, it will automatically assign different source ports, so there’s no conflict even though the public IP is the same. I’ve actually tested this myself by running multiple MXs behind my main device and it works just fine. The only thing to keep an eye on is the amount of traffic going through the main (top-tier) MX, just to make sure it can handle the load.


Some customers connect their ISP device to a WAN switch, which then allows multiple MX devices to connect through that switch. This setup works especially well if the ISP provides IP addresses via DHCP, or if you have access to multiple public IPs. It’s a clean and efficient way to get multiple MXs online without much hassle.

.ılı.ılı. Cisco Meraki
Network Support Engineer

### If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it ###
Brash
Kind of a big deal
Kind of a big deal
a month ago
a month ago

Thanks for the advice.

I had a colleague go out to site today to patch across MX-2 and it came up good behind MX-1 with no site-to-site issues whatsoever.

 

As it is only temporary, load shouldn't be an issue.

 

Some customers connect their ISP device to a WAN switch, which then allows multiple MX devices to connect through that switch. This setup works especially well if the ISP provides IP addresses via DHCP, or if you have access to multiple public IPs. It’s a clean and efficient way to get multiple MXs online without much hassle.

 

This is the ideal but unfortunately, it's not quite that simple with our ISP.

We'll be able to get another service in, but it'll probably be a month or so from now.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.