How do you set up MG21E as a fail over internet?

Solved
trunolimit
Building a reputation

How do you set up MG21E as a fail over internet?

So I went through the documentation and I don't understand how to connect the LTE gateway in a way that it acts as an internet failover. 

1 Accepted Solution
DarrenOC
Kind of a big deal
Kind of a big deal

Hi @trunolimit , simply connect the MG into the secondary WAN port of your MX via Ethernet cable

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

View solution in original post

17 Replies 17
DarrenOC
Kind of a big deal
Kind of a big deal

Hi @trunolimit , simply connect the MG into the secondary WAN port of your MX via Ethernet cable

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
trunolimit
Building a reputation

OK. can I have 2 Fail overs? or does the MX100 only support 2 WANs not 3?

DarrenOC
Kind of a big deal
Kind of a big deal

Hi @trunolimit , you’ll find that the whole Mx Series only have two WAN ports.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
trunolimit
Building a reputation

Any clever way you think I can configure the MG12E as a third fail over?

DarrenOC
Kind of a big deal
Kind of a big deal

Fraid not

 

https://documentation.meraki.com/MG/MG21%2F%2F21E_Datasheet

 

Use Cases

Note that the following use-cases refer to using a Meraki MX appliance with the MG21 as a WAN uplink. However, the use-cases can also apply to non-Meraki devices.

  • Antenna placement where cellular coverage is best 
    • Signal strength is key for cellular performance. The MG21 makes cellular a viable option in situations where the best location for the MX is not necessarily the best location  for a strong cellular signal. The separation of cellular antenna and MX expands cellular options for all networks, particularly for mid-range MXs mounted in a data center.
  • Primary WAN
    • In areas where wired internet services are not available, the MG21 provides a simple, viable option for wireless WAN connectivity.
  • Secondary WAN for Failover
    • An MX's secondary WAN interface connected to an MG21 may use the cellular network in the event of a primary uplink failure.
  • Secondary WAN for SD-WAN
    • An MX with an MG21 as a secondary WAN uplink may use the cellular network to establish VPNs for SD-WAN.
  • High Availability Uplink
    • The MG21 can be used as either a primary or secondary internet uplink for MX HA topologies. Its two LAN ports allow the MXs to share access to the same cellular network.

Your other option is to use the 3G/4G failover port in the MX.
Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Bruce
Kind of a big deal

Maybe there is 'a clever way' - if you can afford another MX. Your two primary links go to WAN1 and WAN2 on the Active MX, and then you connect the MG21 to the WAN port on the standby MX, with them set up in a failover pair. If the two links on the primary MX go down then when the MX detects this it will reduce its priority on VRRP and the standby MX will take over and use the MG21 link. (The WAN ports on the two MX devices don't need to be in the same subnet, and don't need a vIP - its optional, but in this case you don't want it).

 

As I said, it needs another MX though (although not another MX license) so it can be an expensive solution if your primary MX is a MX450, but maybe not so bad if you're using something smaller.

trunolimit
Building a reputation

You gorgeous person you. We do have a standby MX100. 

 

But do you need an additional license on the MX100 to make this work? 

Bruce
Kind of a big deal

Nope, if you’re using the two MX appliances as a warm standby/HA pair then you only need a single license.

DarrenOC
Kind of a big deal
Kind of a big deal

By all means test but I don't believe that setup will work.  With your primary mx setup with WAN1 and WAN2 configured that configuration is sat on the secondary waiting to jump into action.  Once the primary fails the WAN port with your MG21 shouldn't work as it'll have the configuration from primary WAN connection pre-defined.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
trunolimit
Building a reputation

So then how does VRRP work normally?

 

If the whole point is to have a standby router that can jump in almost instantly to route traffic If the main router goes down, wouldn’t the limitation of needing to have identical WAN settings Keep this from working?

DarrenOC
Kind of a big deal
Kind of a big deal

VRRP is there to ascertain the keep alive between both boxes.  i.e Primary MX are you there > no reply received > OK secondary your turn.  If both WAN1 and WAN2 already have ccts terminated in them on the Primary MX then this setup should be replicated across onto the secondary.  What Bruce was eluding to was placing the connection from your MG21E into a port on the secondary MX and letting that be your WAN connection should the primary MX fail.  It just won't work like that.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
trunolimit
Building a reputation

Oh I see what you're saying. In order for VRRP to To kick in and make the secondary router primary, the primary router has to have a hardware failure where it can't answer the keep alive. Not just a WAN going down

DarrenOC
Kind of a big deal
Kind of a big deal

👍 @trunolimit 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Bruce
Kind of a big deal

@trunolimit Please go ahead and try it as it should work as I said. If WAN1 and WAN2 fail on the primary appliance then VRRP will handover control to the standby, see here https://documentation.meraki.com/MX/Networks_and_Routing/Routed_HA_Failover_Behavior. With a primary and standby MX you have up to four WAN/internet links, those links can be completely independent of each other, although only two are ever active depending on which MX is active. VRRP does not run on the WAN interfaces, and it is optional to have a vIP when the MX is in routed mode (having a vIP means it’s a more stateful failover as your public IP stays the same, without a vIP all tunnels and flows need to be rebuilt - although that shouldn’t be more than 10 seconds or so normally). So in the scenario I suggested you don’t have to vIP on the WAN interfaces (so they’re independent of each other), and if both of the WAN links on the primary MX are detected as a failure, https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failo... then VRRP will hand over control to the standby and your MG21 plugged into WAN1 on that device will become your internet connection.

shauno
Here to help

Good explanation @Bruce !

 

Has anyone (Meraki SE or partner/customer) tried this yet? It would be good to see it as a documented & supported use case.

Bruce
Kind of a big deal

The biggest downside with the solution is that you can’t configure WAN2 on the secondary MX in a different manner to the primary, but usually that’s a small price to pay, and may not be an issue.


For instance WAN2 on the primary may be a 100/40Mbps internet circuit, and on the secondary it may be a Cat6 LTE - which may give a similar performance.

Aaron_Wilson
A model citizen

What Bruce said is true, you have 4 WAN links in a HA pair (only access to 2 at any given time). There is no reason this shouldn't work.

Get notified when there are additional replies to this discussion.