Skip to main content
Cisco Meraki Documentation

Private Uplinks


This feature does not work on the vMX product as it requires two WAN connections (one on an internet circuit and one on a private circuit) and the vMX is only a single WAN interface appliance.

Fully private links (no Internet e.g. Private MPLS/VPLS links) are unsupported when connected to a WAN port of the MX. This is because the WAN links of the MX are governed by Connection Monitor. When a fully private link is connected to a WAN port of the MX, there is no internet connectivity and therefore Connection Monitor health checks fail. When Connection Monitor health checks fail, the MX prevents client traffic from egressing the link.

The private links feature bypasses connection monitor, thus allowing the use of private links as a WAN connection to establish Auto-VPN or third-party VPNs over these links. Meraki customers and service providers are utilizing private connections in conjunction with internet connections on the WAN ports of an MX to facilitate uptime and leverage SD-WAN capabilities.

This feature is currently in a service provider-only closed beta.

Uplink Configuration

Since a private uplink does not have reachability to the internet,  we still require one uplink that does in order for the MX to communicate with the VPN registry and learn about the endpoints of the other MX nodes on the MPLS link to establish auto-VPN tunnels over this link.


The current design of the private links feature is such that WAN1 will be connected to the private link (MPLS, VPLS, etc.) and WAN2 will be connected to the internet (broadband,etc.).  The MX will communicate to dashboard and the VPN registry over WAN2 for both of its WAN1 and WAN2 links to facilitate the Auto-VPN/SD-WAN connectivity over the private link.


  • There is currently no UI element to this feature. It is only a backend implementation at this time which Meraki support can assist with enabling
  • Uplink monitoring graphs (seen under Security & SD-WAN > Monitor > Appliance status > Uplink, within the summary report, and under VPN performance monitoring tools, etc.) on dashboard will show 100% loss for the private link, as there is no connection monitoring over this link to populate these graphs with data
  • LTE backup
    • If WAN2 (internet) fails but WAN1 (MPLS) is still up, then LTE will still be in a standby state and the MX will appear offline in dashboard
    • If WAN2 (internet) fails and the WAN1 (MPLS) link goes hard down, then LTE will become active and the MX will appear online in dashboard again


  • Was this article helpful?