Meraki

Community

Can VLAN interface run as mgmt IP? or how to allocate the mgmt IP on multi-site resilience

VincentZHU
Comes here often
‎Jul 21 2025 1:24 AM
‎Jul 21 2025 1:24 AM

Can VLAN interface run as mgmt IP? or how to allocate the mgmt IP on multi-site resilience

hi,Expert:

Here is my scenario, two sites  are connected by Metro link,and each site has INTERNET access. 

Requirement: if SiteA FW down,then SiteA business should re-route to SiteB via Metro link to access INTERNET,same as reverse.

 

VincentZHU_1-1753085576168.png

 

Question: How to allocate the mgmt IP of MScore switch. Can I set VLAN interface i.e 10.1.1.2 as its mgmt IP? If it has to allocated by FW via a new VLAN and FW run as static default gateway, how can it re-route to SiteB when FW can't access the INTERNET due to the its uplink down.

 

Thank you for your time and help.

B.R

Vincent

0 Kudos
7 Replies 7
nicdc01
Getting noticed
‎Jul 21 2025 1:46 AM
‎Jul 21 2025 1:46 AM

Hey;
Interesting connection you have there. 
I would read up more on this article.
For this to work you would need VRRP traffic to pass through from one MX to another.
From your Diagram looks like you would need another connection between Site A's firewall to SiteB's Core Switch and vice versa for the recommended setup.

nicdc01_0-1753087363088.png


That being said for each Site on the Management VLAN; Security & SD-WAN > DHCP; Manually set the IP addresses for the core switches respectively.

However this assumption is that they are under the same Network in the Dashboard.

 

0 Kudos
In response to nicdc01
VincentZHU
Comes here often
‎Jul 21 2025 2:05 AM
‎Jul 21 2025 2:05 AM

Dear  nicdc01:

well received,and I also deployed FW HA with multi-WAN in each site, same as the solution mentioned in this article,but customer further required  site resilience when FW-HA totally down on a site.

SiteA is a network,and SiteB is another network, both of them are in a same org.

Thank you for your help.

BR/Vincent

0 Kudos
In response to VincentZHU
nicdc01
Getting noticed
‎Jul 21 2025 2:55 AM
‎Jul 21 2025 2:55 AM

Hey;
Not sure this topology is fully supported by Meraki but I think I understand what you are getting at.
Could be possible to set the SiteA Core Switches as uplink/backup WAN for the SiteB MX using the 3rd backupWAN feature available (vice versa).
https://community.meraki.com/t5/Security-SD-WAN/New-MX-feature-MultiWAN-Backup-Uplink-third-backup-W...

In Theory it could work but there are some limitations.

Could also explore the possibility of adding a third redundancy line with MG Wireless WAN if the above is not an option but you want to cover all bases uplink wise.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 21 2025 1:31 PM
‎Jul 21 2025 1:31 PM

I would opt for a significantly different (and more expensive) design than this for a customer seeking geographic Internet failover.  The scope of that solution is really too large for a community post.

 

I can tell you that if this is only for outbound Internet access, it would probably be cheaper to deploy a second backup Internet circuit at each site.  The complexity would also be reduced.  Fault-finding would be much easier.  With reduced complexity, uptime would probably be higher.

 

If I were forced to work with what you have provided, I would relocate the L2 link so that it is between the firewalls, rather than the switches.  Then have the firewalls manage the failover between sites.

I would make Internet failover invisible to the switches.

0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jul 24 2025 6:12 AM
‎Jul 24 2025 6:12 AM

To answer your question directly without thinking about the design:
- If your switches are native MS switches (MS3x, MS4x) then your management IP can either be a separate IP on the uplink network between the local firewall pair and L3 switch.  Or you have a L2 mgmt VLAN that comes directly off those firewalls where all your switch mgmt IP's are in.
- If your switches are Catalyst based in Meraki management or soon to be Meraki management then for the time being your uplink SVI towards the firewall IS the management IP.


Then to think about your design.  If you are using fully featured firewalls at two ends and you only have a single link between your switches you have a single point of failure there.  It is better to have direct L3 links to the local and remote firewall.  I also have not tested the scenario where the statically configured uplink goes down that the switch will flip to the OSPF received secondary uplink to the 0.0.0.0/0 route.

Alternatively you could have an SDWAN where both sites are fully tunneled to both "headends" where your firewalls live and have your full redundancy that way.

In response to GIdenJoe
VincentZHU
Comes here often
‎Jul 24 2025 6:17 PM
‎Jul 24 2025 6:17 PM

hi,GldenJoe:

Many thinks to your helpful guide.

My switch is C9300X-M,so it should support uplink SVI ,i.e 10.1.1.2,as its manangement IP. I will verify it.

On this implement, actually, each site has two non-cisco FWs run as a FW HA, and two C9300X-M builded as a stack and as core switch of site( logical as a single failure point yet).  OSPF run between FW and core switch,FW will originate default route into OSPF when its external link up and withdraw default route when external link down. so each site core switch will learn two default route but different cost. That is my design for site resilience to avoid INTERNET uplink down.

B.R/Vincent

0 Kudos
In response to VincentZHU
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jul 24 2025 11:00 PM
‎Jul 24 2025 11:00 PM

Ok for the -M mgmt IP, you will probably need to run the native IOS-XE version, not the CS version to get this to work.
And if the mgmt IP is sticky on a DHCP IP then search for my article about sticky behavior of the native IOS-XE versions.  You'll have to go back an forth between an SVI in the DHCP range and then back to the wanted SVI.  It's a bit of a mess 😉

But when doing this design please do have a failure check so you can observe the behavior on the C9300 switches with the OSPF default routes.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.