DDoS attack emergency?

Cisco Meraki VRRP WAN configuration

Two firewalls are better than one!

Cisco Meraki MX Firewalls can make use of VRRP on the LAN and WAN side. If your WAN provider has provided you with the correct allocation of IP addresses, you can ensure great redundancy for your WAN solution.

This is how it can be done.

VRRP diagram

In this example, we are assuming the WAN provider has provided an entire /24 block of 111.222.33.0 /24.

The Meraki devices have a shared IP address, a floating IP address, the active firewall will respond to this IP address.

Both devices also have their own ‘real’ IP address. So the solution uses 3 IP addresses by design.

To configure the MX devices, log into the dashboard and go to the Security & SD-WAN page, and select Uplink:

Click the ‘Pencil’ icon next to ‘WAN’ to edit the WAN IP details:

Click Save… and then the Configure warm spare button:

On this page, ensure the device serial is entered, and select Use virtual uplink IPs, and enter the IP address intended to use as the shared (floating) IP address.

The two MX devices should appear as Primary, and Spare – click the word ‘SPARE’ and repeat the process for Uplink, this time using the IP address for the secondary device.

That is the configuration done, but it is important to ensure you physically connect to the two MX devices correctly. Your WAN provider will typically present your service as a single port, so this needs to be connected to a dedicated WAN switch or an isolated VLAN on your existing switch infrastructure.

Then the two MX devices are connected to the same switch or VLAN on their WAN ports.

And that is it!

You can also use VRRP on the LAN side, but this document is just looking at the WAN side.

It is always recommended to avoid single points of failure on your business network; and this approach ensures that, in the event of a hardware failure, you still have connectivity. This should be implemented alongside other measures to ensure a completely redundant network design.

 

back to top