This would be painfull.   Have a look at ipsec tag-based failover and see if that suits your needs. https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover    Personally, I would avoid this configuration.  I would try and resolve this by putting in more MXs and using AutoVPN.  Even if you need to put an MX in at a partner site (in VPN concentrator mode - like a WAN router), because at least then you can use simple static routes between it and the partner. ... View more

@Bruce  Thanks for the reply. When I mention Management/Up link port, I am using port 48 on one of the WAN switch as management/up-link port, not a separate dedicated management Port.    When I use port 48 on a switch as Management/Up-link port, I am not comfortable connecting it directly to Internet as there is not any protection available for the port and my understanding it will be listening as well - it will be prone to DoS attack etc.   As you stated both design are OK, then I will prefer to connect the Management/Up link port to our LAN management network then provide Internet connection via FWs.  As you  have also mentioned, the drawback is if there are any issue with FW cluster, we will not be able to manage WAN switches or identify whether issue is with WAN switch stack or FW cluster.   ... View more