Meraki

Community

Replacing an MX84 with an MX250 - Operating as VPN Hub

Solved
Crocker
A model citizen
‎Mar 13 2021 9:02 AM
‎Mar 13 2021 9:02 AM

Replacing an MX84 with an MX250 - Operating as VPN Hub

Wanted to make sure I'm not oversimplifying a task, any feedback is appreciated.

 

We have two MX84's, in disparate datacenters, both operating in one-armed concentrator setup. The MX84 in datacenter A advertises more specific routes to devices located in datacenter A, and the MX84 in datacenter B advertises more specific routes for devices located in datacenter B. Datacenter A and Datacenter B are connected via a 10gbps backhaul. Both hubs have their own individual 'networks' in the Meraki dashboard.

 

I've got replacement MX250's for both of the MX84's. The plan (per datacenter) is as follows:

 

1. Hardcode the MX250 to use the same IP address as its respective MX84

2. Rack the MX250, connect to a switchport in the core that is in a SHUT status but otherwise mirrors the switchport configuration for the MX84

3. Remove the more specific routes from the AutoVPN configuration so AutoVPN traffic can freely fail between the MX's (traversing the backhaul to get from Datacenter B to Datacenter A while MX84-A is offline)

4. SHUT the switchport on the MX84

5. Remove the MX84 from the "Datacenter X Concentrator" Meraki network in the dashboard

6. NO SHUT the switchport for the MX250.  Verify it comes up and can talk to the dashboard

7. Add the MX250 to the "Datacenter X Concentrator" Meraki network in the dashboard

8. Verify AutoVPN connections establish with the MX250, then re-apply the more specific routes removed in step 3

 

Thoughts?

0 Kudos
1 Accepted Solution
Bruce
Kind of a big deal
‎Mar 13 2021 1:36 PM
‎Mar 13 2021 1:36 PM

I think you’ve pretty much hit the nail on the head. You’re essentially following Method 1 in this, https://documentation.meraki.com/MX/Other_Topics/MX_Cold_Swap_Replacing_an_Existing_MX_with_a_Differ....

 

Couple of points to note:

  • You’ll need to configure the IP address, subnet, gateway, etc. of the new MX250 on its local status page.
  • There’s no need to remove the more specific routes as they’ll be dropped from the AutoVPN when the device goes down anyway (one less step).
  • If you’re not using dynamic routing between the MX and the switch you may need to adjust the routes on the switch end so traffic doesn’t get black-holed (and put them back later).
  • When the new MX250 comes up you will need to re-enable AutoVPN, it will come up initially as AutoVPN ‘off’, but when you swap it to ‘hub’ all the old config will be there.

Hope it all goes well!

View solution in original post

4 Replies 4
Bruce
Kind of a big deal
‎Mar 13 2021 1:36 PM
‎Mar 13 2021 1:36 PM

I think you’ve pretty much hit the nail on the head. You’re essentially following Method 1 in this, https://documentation.meraki.com/MX/Other_Topics/MX_Cold_Swap_Replacing_an_Existing_MX_with_a_Differ....

 

Couple of points to note:

  • You’ll need to configure the IP address, subnet, gateway, etc. of the new MX250 on its local status page.
  • There’s no need to remove the more specific routes as they’ll be dropped from the AutoVPN when the device goes down anyway (one less step).
  • If you’re not using dynamic routing between the MX and the switch you may need to adjust the routes on the switch end so traffic doesn’t get black-holed (and put them back later).
  • When the new MX250 comes up you will need to re-enable AutoVPN, it will come up initially as AutoVPN ‘off’, but when you swap it to ‘hub’ all the old config will be there.

Hope it all goes well!

In response to Bruce
Crocker
A model citizen
‎Mar 18 2021 3:37 PM
‎Mar 18 2021 3:37 PM

Thanks for the review and the notes! Doing this tomorrow night, will post back if I end up deviating from the plan.

0 Kudos
In response to Crocker
Crocker
A model citizen
‎Mar 21 2021 3:20 PM
‎Mar 21 2021 3:20 PM

All went according to plan, discounting some weirdness with the MX250 not being able to check-in with the dashboard for ~2 hours.

 

Almost seems too easy!

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 14 2021 10:46 AM
‎Mar 14 2021 10:46 AM

Also note the MX250 will likely change its firmware version to that specified for the network, so it is likely to do an additional reboot when first coming up.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.