Replacing an MX84 with an MX250 - Operating as VPN Hub

SOLVED
Crocker
Building a reputation

Replacing an MX84 with an MX250 - Operating as VPN Hub

Wanted to make sure I'm not oversimplifying a task, any feedback is appreciated.

 

We have two MX84's, in disparate datacenters, both operating in one-armed concentrator setup. The MX84 in datacenter A advertises more specific routes to devices located in datacenter A, and the MX84 in datacenter B advertises more specific routes for devices located in datacenter B. Datacenter A and Datacenter B are connected via a 10gbps backhaul. Both hubs have their own individual 'networks' in the Meraki dashboard.

 

I've got replacement MX250's for both of the MX84's. The plan (per datacenter) is as follows:

 

1. Hardcode the MX250 to use the same IP address as its respective MX84

2. Rack the MX250, connect to a switchport in the core that is in a SHUT status but otherwise mirrors the switchport configuration for the MX84

3. Remove the more specific routes from the AutoVPN configuration so AutoVPN traffic can freely fail between the MX's (traversing the backhaul to get from Datacenter B to Datacenter A while MX84-A is offline)

4. SHUT the switchport on the MX84

5. Remove the MX84 from the "Datacenter X Concentrator" Meraki network in the dashboard

6. NO SHUT the switchport for the MX250.  Verify it comes up and can talk to the dashboard

7. Add the MX250 to the "Datacenter X Concentrator" Meraki network in the dashboard

8. Verify AutoVPN connections establish with the MX250, then re-apply the more specific routes removed in step 3

 

Thoughts?

1 ACCEPTED SOLUTION
Bruce
Kind of a big deal

I think you’ve pretty much hit the nail on the head. You’re essentially following Method 1 in this, https://documentation.meraki.com/MX/Other_Topics/MX_Cold_Swap_Replacing_an_Existing_MX_with_a_Differ....

 

Couple of points to note:

  • You’ll need to configure the IP address, subnet, gateway, etc. of the new MX250 on its local status page.
  • There’s no need to remove the more specific routes as they’ll be dropped from the AutoVPN when the device goes down anyway (one less step).
  • If you’re not using dynamic routing between the MX and the switch you may need to adjust the routes on the switch end so traffic doesn’t get black-holed (and put them back later).
  • When the new MX250 comes up you will need to re-enable AutoVPN, it will come up initially as AutoVPN ‘off’, but when you swap it to ‘hub’ all the old config will be there.

Hope it all goes well!

View solution in original post

4 REPLIES 4
Bruce
Kind of a big deal

I think you’ve pretty much hit the nail on the head. You’re essentially following Method 1 in this, https://documentation.meraki.com/MX/Other_Topics/MX_Cold_Swap_Replacing_an_Existing_MX_with_a_Differ....

 

Couple of points to note:

  • You’ll need to configure the IP address, subnet, gateway, etc. of the new MX250 on its local status page.
  • There’s no need to remove the more specific routes as they’ll be dropped from the AutoVPN when the device goes down anyway (one less step).
  • If you’re not using dynamic routing between the MX and the switch you may need to adjust the routes on the switch end so traffic doesn’t get black-holed (and put them back later).
  • When the new MX250 comes up you will need to re-enable AutoVPN, it will come up initially as AutoVPN ‘off’, but when you swap it to ‘hub’ all the old config will be there.

Hope it all goes well!

Crocker
Building a reputation

Thanks for the review and the notes! Doing this tomorrow night, will post back if I end up deviating from the plan.

Crocker
Building a reputation

All went according to plan, discounting some weirdness with the MX250 not being able to check-in with the dashboard for ~2 hours.

 

Almost seems too easy!

PhilipDAth
Kind of a big deal
Kind of a big deal

Also note the MX250 will likely change its firmware version to that specified for the network, so it is likely to do an additional reboot when first coming up.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels