MG Cellular Gateway with Highly Available MX Security Appliances

Solved
Prodrick
Building a reputation

MG Cellular Gateway with Highly Available MX Security Appliances

I thought I had the documentation for this, but I can't seem to find it.  Where might I find the documentation on MG cabling options for connectivity in a Meraki Network with two MX?  For example, does the MG get connected to a switch that each MX is connected to, or does an MG get directly connected directly to both MX's secondary uplink ports?

I'm looking to understand the different ways that customers might configure this.

On the MG21 data sheet, it says "2 GbE ports for routers in HA mode", which makes me think that these connect to the secondary uplink (WAN 2) of each MX, but is that the only way people connect these in an HA setup?

Thanks so much.

1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal

Mg to L2 vlan poe (switch)port ,, and in the same vlan two switch ports to mx wan ports

 

Mg to poe adapter. Then from poe adapter to mx1 and mg port2 to mx2

 

Mx(some newer mx types) with Poe on wan port. Then you can use mg port 1 to mx1 and mg port2 to mx2 

View solution in original post

13 Replies 13
ww
Kind of a big deal
Kind of a big deal

Mg to L2 vlan poe (switch)port ,, and in the same vlan two switch ports to mx wan ports

 

Mg to poe adapter. Then from poe adapter to mx1 and mg port2 to mx2

 

Mx(some newer mx types) with Poe on wan port. Then you can use mg port 1 to mx1 and mg port2 to mx2 

javalins
Meraki Employee
Meraki Employee

It really depends on your budget, if you want to layer in switches between the MX's and MG's to create a mesh of connectivity, you absolutely can, just scales the price of the solution accordingly.

Prodrick
Building a reputation

Thanks to the both of you.  Is there a design guide that details the options?

javalins
Meraki Employee
Meraki Employee

Not officially.  If you have design concerns, I'd reach out to your Meraki Account Team and they can help technically validate what you are trying to do.

KarstenI
Kind of a big deal
Kind of a big deal

I have two strategies here:

1) With the newer MXes, I connect the MG directly to both WAN2 as these devices can power the MG.

2) With older MXes, I have a small (typically non-Meraki) switch between both WAN2 and the MG.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
NolanHerring
Kind of a big deal

Have you had any luck with these during fail-over @KarstenI ?

 

I have an MG51 plugged into WAN2 on FW1 and FW2 (warm-spare) and only one of the WAN2 ports ever provides PoE.  When the FW that is providing PoE goes down (reboot or whatever), the MG51 loses power, and then PoE on the other FW kicks in. So there is an outage that really should not exist given the physical redundancy, which is upsetting.

Nolan Herring | nolanwifi.com
TwitterLinkedIn
KarstenI
Kind of a big deal
Kind of a big deal

Oh, I never got a report like this. But my typical support is for networks that have the external switch. I'll try to find out if the directly connected MGs also show this behavior. Perhaps it just was not realized as LTE is only used for backup and both MXes have always WAN1 connected to the same ISP.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
NolanHerring
Kind of a big deal

Got a reply on another thread from Meraki employee (and confirmation via case I opened) that the MG unit can only have a single PoE source for power at a time. LAN can be dual, but not PoE.

Nolan Herring | nolanwifi.com
TwitterLinkedIn
KarstenI
Kind of a big deal
Kind of a big deal

Just read it. But it is good to know if someone wants to run the MG as the primary Internet. I'll change my default design to "only with external switches".

The idea of powering the MG from the WAN port is really great, but obviously, the feature was not completely thought out in product design.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
NolanHerring
Kind of a big deal

Yeah I mean in that specific example its basically just transferring the single point of failure from whichever MX happens to be providing PoE, to the switch that is providing PoE. If the switch has dual-PSU then it might make more sense vs having it connected directly to the MX that doesn't. Unless I'm missing something?

Nolan Herring | nolanwifi.com
TwitterLinkedIn
KarstenI
Kind of a big deal
Kind of a big deal

Not a single point of failure, as these switches are also redundant. One for ISP1 and one for ISP2. I use either the CBS350-8 or Catalyst 1000-8 for this.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
NolanHerring
Kind of a big deal

Single in the sense that the MG unit only has a single power source. If that switch goes down, the MG goes down with it. Similar to if it is connected to dual MX. If the MX providing power goes down, so does the MG.

Nolan Herring | nolanwifi.com
TwitterLinkedIn
KarstenI
Kind of a big deal
Kind of a big deal

This is an important point I didn't think about before. In my setup, only Switch 2 should provide power to the MG, and PoE needs to be disabled on Switch 1. If Switch 1 goes down, ISP1 is lost, and the MG as ISP2 needs to stay up.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.