Meraki

Community

Warmspare using private ip address

Vishal07
Getting noticed
Tuesday
Tuesday

Warmspare using private ip address

Hi,

 

We are considering fortigate as perimeter Fw and Merki Mx as Core FW, need to know if i configure warmspare using private ip then will it be Mx vip ip (192.168.1.4) would be next hop for fortigate to reach lan subnets or it would be individual Mx ip. PFA diagramdiagram1.png

Labels:
0 Kudos
8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

You need to configure a transit VLAN and use VIP co figure on the Warm Spare.

 

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Deployment_Guides/MX_Warm_S...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Vishal07
Getting noticed
Tuesday
Tuesday

what do you mean by transit vlan ?

0 Kudos
In response to Vishal07
alemabrahao
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

A transit VLAN is a VLAN used exclusively to carry traffic between networking devices, such as switches, routers, or firewalls. It is not used for end-user hosts.
In other words, its only purpose is to provide a Layer 2 segment that devices use for Layer 3 routing or control traffic.

 

https://documentation.meraki.com/Platform_Management/Dashboard_Administration/Design_and_Configure/A...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

>be next hop for fortigate to reach lan subnets or it would be individual Mx ip.

 

The Fortigate's would use the MX VIP address in their static routes for the next hop address.  You'll also need to enable "no-nat" mode on the MXs, as they normally NAT everything to the VIP address.

 

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Configuration_Guides/Networ...

In response to PhilipDAth
Vishal07
Getting noticed
Tuesday
Tuesday

what if i do the warmspare connectivity using lan port and not wan port, would i still need to enable nat exemption on ports ?

0 Kudos
In response to Vishal07
PhilipDAth
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

It is a compulsory requirement for the MX WAN port to be able to talk to the Internet.

0 Kudos
In response to PhilipDAth
Vishal07
Getting noticed
yesterday
yesterday

i mean to say, if i configure warmspare using physical Lan port of MX95 and it gets internet via Fortigate. Would it be workable solution

0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

Yes the 192.168.1.4 will be the next hop for your Fortigates to reach the inside networks.
So while the individual MX'es have their own IP's, These IP's will only be used for cloud management and the uplink testing because you enabled the vIP feature.

This means the active MX firewall will respond to ARP requests of the Fortigate on the 192.168.1.4 address.  Usually the virtual MAC consists of a Cisco OUI and the last 24 bits are derived from the 24 bits of the primary firewall.

It may also be a good idea to disable NAT on the WAN uplink of the MX.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2026 Cisco Systems, Inc.