How to Replace an Existing MX Using a Cold Swap
Overview
This article explains how to perform a cold swap to replace an existing MX security appliance or Secure Router with a different device.
A Secure Router or MX can act as a warm spare, where a primary device gracefully fails over to a pre-configured, online secondary device. However, a network admin must perform a cold swap in either of these situations:
-
A primary device fails before a secondary was pre-configured as a spare.
-
The network is being upgraded to a different model of Secure Router or MX.
This article outlines two methods for performing a cold swap:
-
Method 1 (Quick Swap): Keeps the new MX in the same Dashboard network as the original. This retains all previous client tracking data, requires no networks to be created or deleted, and simplifies work with MX devices in a combined network.
-
Method 2 (Clone and Replace): Places the new MX into a clone of the original network. This lets you pre-stage the replacement so the only downtime occurs during the physical swap.
This document uses "Secure Router" and "MX security appliance" interchangeably. Anything unique to either portfolio is noted.
Choosing a method
Consider the trade-offs before you begin:
-
Method 1 has fewer steps and is usually faster when starting with no preparation. However, it may cause slightly more downtime, because a short gap exists between removing the original MX (which reverts it to factory defaults) and the new MX checking in to Dashboard to re-apply the configuration. If the original MX is already non-functional or causing downtime, Method 1 is often preferred.
-
Method 2 minimizes downtime through pre-staging, but the cloning process loses historical client tracking data on the new network. The data remains on the original network but does not carry over. Additional considerations for Method 2:
- If the original MX was part of AutoVPN acting as a Hub, the cold swap MX is added as a new Hub, requiring a configuration change on all Spoke networks.
- If the original MX was part of a combined network, extra steps are required to integrate the cloned network back into the combined network.
- The cloned network has a different DDNS hostname. Update any services that rely on the DDNS hostname (for example, Client VPN users who connect using the DDNS hostname).
Prerequisites
Regardless of which method you use, configure any local settings manually on the Local Status Page before the device can connect to Dashboard. These settings include:
- Static WAN IP addresses
- Proxies
- Non-standard link speeds
Generally, copy these settings from the original device if it is available.
If the Secure Router performs DHCP and any downstream devices are configured to detect or contain rogue DHCP servers, allow the MAC address of the new device.
Port mapping between MX models
Refer to the port mapping table to see which ports map to which other ports across different MX models. The top section outlines the port count and type total. The second section maps the physical port labels to their representation on Dashboard. Use the mapping to calculate the offset between physical port labels and Dashboard configurations.
For example, the MX85's first LAN port is physically labeled "5" but maps to LAN 3 on Dashboard templates. For more information on template management, refer to Managing Multiple Networks with Configuration Templates and MX Templates Best Practices.

Port mapping between Secure Router models
Refer to the port mapping table to see which ports map to which other ports across different Secure Routers. The top section outlines the port count and type total. The second section maps the physical port labels to their representation on Dashboard. Use the mapping to calculate the offset between physical port labels and Dashboard configurations. For more information on template management, refer to Managing Multiple Networks with Configuration Templates and MX Templates Best Practices.

Step-by-step instructions
Method 1 (Quick Swap)
Remove the old MX from the current network
A Dashboard network can only contain one MX at a time. To make room for the new MX, remove the current MX. The network retains the old MX's non-local configuration, so you do not need to reconfigure the replacement MX in Dashboard.
To remove the MX, follow the steps in How to Add and Remove Devices from Dashboard Networks.
You cannot remove the only security appliance from a network that tracks by unique client identifier. First change the network to track by MAC address on the Security & SD-WAN > Configure > Addressing & VLANs page, then remove the security appliance. This change clears all client usage data in the network.
Add the replacement MX to the same network
Once you remove the original MX, space becomes available to add the replacement MX. The steps below apply to all device types and network types and begin from the network's configuration in Dashboard.
For steps on adding devices from the inventory page, refer to Adding Devices from the Inventory page (Organization > Configure > Inventory).
Only one MX or Z-series security appliance can be in a network unless two MXs form an HA pair. Adding more than one device type to a network automatically converts it to a combined network.
This process works for organizations using both Co-termination and Per-Device Licensing models. Before beginning, create a network if one does not already exist (Organization > Configure > Create Network).
To add devices to a network:
-
Select the network to which the devices should be added.
Only administrators with multiple organizations see the organization drop-down.
-
Navigate to Network-wide > Configure > Add devices.
-
Use the Search inventory box to search for a device or group of devices by any of the following:
- MAC address
- Serial number
- Network name
- Model number
- Order number
- Country code
-
Select the checkbox next to each device to add. If the desired devices are not listed, claim them first.
Only devices matching the current network type appear on this page. To add devices of a different type when the network is not already a combined network, use the Organization > Inventory page, which only Organization Admins can access.
-
Select Add to this network.
-
The devices are added to the network and become available for monitoring and configuration.

Physically swap the MX and allow it to check in
After you add the replacement MX to the network, it must check in to Dashboard to pull a configuration and perform any initial firmware updates. Until the replacement MX is physically in place, fully checked in, and finished with firmware upgrades, it cannot properly service clients.
To swap the device:
-
Move the WAN uplink(s) first.
-
Move any necessary LAN connections.
-
Move each cable to the same port on the new MX that it used on the original MX. For example, move the cable from LAN port 4 of the original MX only to LAN port 4 of the new MX, or to another port with an identical configuration.
Because the new MX runs an exact copy of the original MX's configuration, matching the ports ensures correct operation.
Before the MX connects to Dashboard and pulls its config, it uses its out-of-the-box config, which runs DHCP services on a default subnet. This can cause downstream clients to receive unexpected IP addresses if they connect to the MX LAN before the MX downloads its configuration. To prevent this, connect only the MX WAN port initially, and keep the MX LAN ports disconnected until the MX checks in to the Meraki Dashboard.
Once the new MX fully checks in and finishes its upgrades, it functions on the network with the exact same configuration as the original MX.
Re-enable Site-to-site VPN (optional)
If this security appliance previously used Site-to-site VPN, re-enable that functionality under Security & SD-WAN > Configure > Site-to-site VPN. Change the Mode to Hub or Spoke, depending on the desired mode of operation.
Re-generate AnyConnect custom certificate
If this security appliance previously used custom server certifications for AnyConnect VPN, re-add that certificate under Security & SD-WAN > Configure > Client VPN > AnyConnect. For more information, refer to AnyConnect on the MX Appliance.
Method 2 (Clone and Replace)
Create a clone of the existing network
To create a clone of an existing network, follow the directions in Creating and Deleting Dashboard Networks. On Step 4, when selecting the network configuration, choose Clone from existing network and select the original security appliance network to clone from.
Add the replacement MX to the clone network
The steps below apply to all device types and network types and begin from the network's configuration in Dashboard.
For steps on adding devices from the inventory page, refer to Adding Devices from the Inventory page (Organization > Configure > Inventory).
Only one MX or Z-series security appliance can be in a network unless two MXs form an HA pair. Adding more than one device type to a network automatically converts it to a combined network.
This process works for organizations using both Co-termination and Per-Device Licensing models. Before beginning, create a network if one does not already exist (Organization > Configure > Create Network).
To add devices to a network:
-
Select the network to which the devices should be added.
Only administrators with multiple organizations see the organization drop-down.
-
Navigate to Network-wide > Configure > Add devices.
-
Use the Search inventory box to search for a device or group of devices by any of the following:
- MAC address
- Serial number
- Network name
- Model number
- Order number
- Country code
-
Select the checkbox next to each device to add. If the desired devices are not listed, claim them first.
Only devices matching the current network type appear on this page. To add devices of a different type when the network is not already a combined network, use the Organization > Inventory page, which only Organization Admins can access.
-
Select Add to this network.
-
The devices are added to the network and become available for monitoring and configuration.

Bring the replacement MX online
After you add the replacement MX to the cloned network, bring it online to pull its initial configuration and firmware update. This lets you pre-stage the replacement without removing the existing MX or changing any configurations.
By default, all MX devices look for a DHCP WAN IP to pull their initial configuration. If DHCP is not available, or if a static IP is required, use the Local Status Page to apply that configuration to the WAN interface of the replacement MX.
Physically swap devices
After the replacement MX pulls its initial configuration and firmware update, it is ready to swap with the original MX.
To swap the devices:
-
Move the WAN uplink(s) first.
-
Move any necessary LAN connections.
-
Move each cable to the same port on the new MX that it used on the original MX. For example, move the cable from LAN port 4 of the original MX only to LAN port 4 of the new MX, or to another port with an identical configuration.
Because the new MX runs an exact copy of the original MX's configuration, matching the ports ensures correct operation. Once complete, the new MX functions on the network with the exact same configuration as the original MX.
Re-enable Site-to-site VPN (optional)
If the original security appliance previously used Site-to-site VPN, re-enable that functionality under Security & SD-WAN > Configure > Site-to-site VPN. Change the Mode to Hub or Spoke, depending on the desired mode of operation.
Re-generate AnyConnect custom certificate
If this security appliance previously used custom server certifications for AnyConnect VPN, re-add that certificate under Security & SD-WAN > Configure > Client VPN > AnyConnect. For more information, refer to AnyConnect on the MX Appliance.
Delete the original network (optional)
At this point, you can delete the Dashboard network that contains the old MX, or keep it for historical client tracking. To delete the network:
-
Remove the original MX from the network by following the steps in Remove the old MX from the current network (Method 1).
-
Follow the steps in Creating and Deleting Dashboard Networks to finish deleting the network.
Integrate the cloned MX network with an existing combined network (optional)
If the original MX was in a combined network, integrate the newly cloned network back into the existing combined network with a few extra steps.
Split the combined network
Before you add the new security appliance network to the combined network, uncombine the combined network first:
-
Navigate to the Organization > Monitor > Overview page.
-
Expand the Network List if it is not already expanded.
-
Select the checkbox for the combined network that should be split.
-
Select Split Networks at the top of the network list.
The original combined network splits into its individual networks, each listed as Network_Name-appliance, Network_Name-switch, and Network_Name-wireless. If no devices of a certain type were ever added to the combined network, that network type does not appear after the split. For example, if no wireless devices were ever added to Network_Name, no -wireless network is generated.
Re-combine with the new MX network
After splitting the combined network, re-combine it with the security appliance network that contains the replacement MX:
-
Select the checkboxes for all networks that should be combined. Include any -switch or -wireless networks that remain from the original combined network, plus the newly cloned MX network.
-
Confirm the correct networks are selected.
-
Select Combine.
-
Choose a name for the newly combined network to merge the selected networks into a single combined network.
Verification
Confirm the cold swap succeeded by checking the following:
-
The replacement MX checks in to Dashboard and finishes any necessary firmware upgrades.
-
The MX runs the exact same configuration as the original MX.
-
The MX properly services clients on the network.
-
If applicable, Site-to-site VPN, AnyConnect certificates, and any DDNS-dependent services are re-enabled and functioning.
Troubleshooting
-
Replacement MX not reporting in Dashboard, or 1:1 NAT not working: Clear the upstream modem's ARP cache.
-
Downstream clients receive unexpected IP addresses: This occurs when clients connect to the MX LAN before the MX downloads its configuration, because the out-of-the-box config runs DHCP on a default subnet. Connect only the MX WAN port initially and keep the LAN ports disconnected until the MX checks in.
-
Historical client tracking data missing after Method 2: The cloning process does not carry over historical client tracking data. The data remains on the original network but is not pulled into the clone.
-
AutoVPN Spoke networks lose connectivity after Method 2: If the original MX acted as a Hub, the cold swap MX is added as a new Hub. Update the configuration on all Spoke networks.
-
DDNS-dependent services fail after Method 2: The cloned network has a different DDNS hostname. Update any services that rely on the DDNS hostname, such as Client VPN users who connect using it.

