Home > Security Appliances > Firewall and Traffic Shaping > MX Load Balancing and Flow Preferences

MX Load Balancing and Flow Preferences

All MX security appliances feature a secondary uplink that can be used for load balancing and failover purposes. This article explains how to enable and configure a secondary uplink, load balancing between uplinks, and flow preferences for different types of traffic.

Enabling and Configuring WAN 2

Some MX models (MX400, MX600) have a dedicated secondary uplink port (WAN 2). To use these ports, a cable just needs to be connected and the IP can be configured on the MX's local status page. On all other MX models, a LAN port can be repurposed into an Internet port for use as WAN 2.

To enable and configure WAN 2 on an MX without a dedicated WAN 2 port:

  1. Navigate to the MX's local status page.
  2. Click the Configure tab at the top.
  3. Under Port 1, 2, or 4 (depending on the MX model), switch the Role to Internet:
  4. Configure the WAN port as needed:
    • VLAN tagging - Assigns a VLAN tag to all traffic sent out of this port. If set to Don't use VLAN tagging, traffic will be sent untagged.
    • Connection Type - Select PPPoE if needed. Otherwise, leave as Direct.
    • IP assignment - If the interface will get a dynamic address from the ISP, set to DHCP. Otherwise, set to Static and configure an AddressNetmaskGateway, and DNS servers.

Once the WAN 2 port has been configured and connected, additional options will be available in Dashboard under Security appliance > Configure > Traffic shaping.

Load Balancing

The MX can be configured to use both of its uplinks for load balancing. When load balancing is enabled under Security appliance > Configure > Traffic shaping, traffic flows will be distributed between the two uplinks. The load distribution is based on the WAN 1 and WAN 2 throughput configured under Uplink configuration, such that the uplink with more throughput will distribute more flows.

In the example below, WAN 1 is configured to pass 50Mb/s, and WAN 2 is configured to pass 10Mb/s. Since the download speed ratio is 5/1, for every five flows sent over WAN 1, a single flow will be sent over WAN 2:

Please reference our documentation for more information regarding load balancing.

Flow Preferences

By default (without load balancing), internet-bound traffic will flow out of the MX's primary uplink. The MX can also be configured to send traffic out of a specific interface based on the traffic type (policy-based routing), or based on the link quality of each uplink (performance-based routing). Flow preferences can be configured to define which uplink a given flow should use. Flow preferences will also supersede load balancing decisions.

Internet Traffic

Flow preferences for internet-bound traffic can be configured to force traffic over a specific uplink based on its source and/or destination. These preferences can be used if a specific uplink should be designated for a particular type of traffic, such as traffic bound for a cloud-hosted service.

To create a flow preference for internet traffic:

  1. In Dashboard, navigate to Security appliance > Configure > Traffic shaping > Flow preferences.
  2. Under Internet traffic, select Add a preference.
  3. Define the traffic that will be assigned a designated uplink:
    • Protocol - TCP, UDP, or Any.
    • Source - Source IP, using CIDR notation.
    • Src port - Source port, or "Any".
    • Destination - Destination IP, using CIDR notation.
    • Dst port - Destination port, or "Any".
    • Preferred uplink - The uplink this traffic will be sent over.
  4. Click Save Changes.

VPN Traffic and Custom Performance Classes

Flow preferences for Meraki AutoVPN traffic can be configured to send traffic over a preferred uplink. These preferences can be used to ensure that high-priority VPN traffic will always traverse the optimal path.

To create a flow preference for VPN traffic:

  1. In Dashboard, navigate to Security appliance > Configure > Traffic shaping > Flow preferences.
  2. Under VPN traffic, select Add a preference.
  3. Under Traffic filter, define the traffic that will be assigned a preferred uplink:
    • Protocol - TCP, UDP, or Any.
    • Source/Port - Source IP (using CIDR notation) and port.
    • Destination/Port - Destination IP (using CIDR notation) and port.
  4. Under Policy > Preferred uplink, define how an uplink should be selected for this traffic:
    • WAN 1/WAN 2 - Traffic will use this uplink until the Fail over if condition is met:
      • Poor performance - Traffic will fail over to the other uplink if performance does not meet the specified Performance class. This performance class can either be set to VoIP or a custom class (see below).
      • Uplink down - Traffic will fail over to the other uplink if this uplink goes down.
    • Best for VoIP - Traffic will use whichever uplink is detected as optimal for quality VoIP communication.
    • Load balance - If Load Balancing is enabled, traffic will be distributed between any uplinks that support the defined Performance class.
    • Global preference - Traffic will use whichever uplink is set as the Primary uplink.

Performance classes can also be created to define a minimum performance standard. If these standards are not met, traffic will be routed through the alternative uplink.

To define a custom performance class:

  1. In Dasboard, navigate to Security appliance > Configure > Traffic shaping > Flow preferences.
  2. Under Custom performance classes, select Create a new custom performance class.
  3. Define the minimum performance standards for this class:
    • Name - A descriptive name for the class.
    • Maximum latency (ms) - Maximum acceptable latency for this class, in milliseconds. Can also be left blank to ignore latency.
    • Maximum jitter (ms) - Maximum acceptable jitter for this class, in milliseconds. Can also be left blank to ignore jitter.
    • Maximum loss (%) - Maximum acceptable loss for this class, in percent of lost traffic. Can also be left blank to ignore loss.
  4. Click Save changes.

Note: ICMP traffic is not subject to traffic shaping rules. As a result, Flow Preference will have no impact on ICMP traffic.

You must to post a comment.
Last modified
10:06, 18 Sep 2017



This page has no classifications.

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community