This worked perfect. I created a separate VLAN to carry MX2 to the same HA Active/Passive Pair of Palo Alto 5420 firewalls. What I did was add another VLAN on the firewall rack switch, which is Layer-2 to the core (Layer-3). Anyway the two switches are Cisco 9500-48Y4C in StackWise Virtual, and an LACP link to each firewall is created for redundancy already. I added the new VLAN and carried the firewall to the other MX #2 on the other 9500 chassis because MX units don't do LACP, so I have one per switch. Ultimately two separate VLANS for two separate MX units. Each MX has a separate /29 subnet too in case I ever want to add VRRP (unlikely). The Layer-3 is that I use an IP at one end on an interface on the firewall and the other end on the Meraki. The FW interface is ae3.1898 and ae3.1899 of course carried by those two VLANS LACP to the switch stack that then delivers them via one link to each MX. I crated one (1) BGP Peer group on the PA then added a second Meraki simply as another peer. Both of the Meraki units have the same AS as each other and the firewall has a different AS. This Meraki setup is active/active and it is working perfectly. I can change the preferred SD-WAN Hub order in the Meraki cloud, and it updates the firewall using BGP prepending. My Meraki setup is 64512, so the less preferred hub becomes 64512, 64512
... View more
