I want to connect two MX100 which are operated as Active/Pasive with a switch stack consisting of two MS425-32.
L3 Routing is enabled on the MS425 Stack.
I have read the documentation, unfortunately I could not find out how best to connect and configure this configuration.
It is clear that every MX100 must be connected to both MS425s.
According to the documentation, a direct connection must be established between the two MX for the heartbeat, but as the MX do not support spanning tree protocol, I am not sure how to connect it.
Does anyone have a wireing diagramm for me and can help me to configure the whole thing?
Thanks in advance
So here is how we do this.
WAN to MX100's.
Thankfully our Comcast and Verizon modems have multiple LAN ports so we connect those to WAN1 and WAN2 on both MX100's. Then we have a virtual IP setup between the two MX100's.
MX100's to Core stack
Port 4 on MX100-1 to Port 1 on Core SW1
Port 5 on MX100-1 to Port 2 on Core SW1
Port 4 on MX100-2 to Port 1 on Core SW2
Port 5 on MX100-2 to Port 2 on Core SW2
EDIT: You don't have to use the port numbers above, I just used them for example purposes.
Note you will need minimum at least 2 WAN IP from each of the ISP and also it would be great if they can provide EdgeRouter so there will be a multiple LAN ports (same scenario as @Adam).
If they only provide you modem or routers with only 1 ports but /subnet then you will require a WAN switch as per below. (I recommend you to get /29 instead because we need to configure another public WAN ip on the WAN switch 2 for the Meraki uplink so we would be able to see it in the dashboard)
Note that the MS425-16 should be stack 🙂
The Left & Right MX100's port 1 will configure ISP 1's WAN IP, eg. 188.8.131.52 (Left) & 184.108.40.206 (Right)
Then Left & Right MX100's port 2 wil configure ISP 2's WAN IP eg. 220.127.116.11 (Left) & 18.104.22.168 (Right)
Hope this will help.
Thank you for your answers, that has already helped me.
On the WAN side I have an EdgeRouter at ISP 1. Currently there is only one port active but I can call the ISP and have a second port activated. ISP 2 has only provided me with a cable modem, I have to work with a WAN switch there.
At ISP 1 I have 8 IP addresses (/28), ISP 2 provides me only one usable IP address (/30). So I also have to take care of it and make a phone call.
Connection from MX to MS: Should the links be aggregated or should I configure it as individual links?
The MX100 are used for inbound NAT as well as for client and site-to-site VPN.
By outbound NAT do you mean the setting Security appliance -> Traffic shaping -> Flow preferences -> Internet traffic?
There are some devices that should only communicate to the outside via a special ISP.(for reasons of upload speed) So yes, 2-3 settings will certainly be made here.
I am switching from Sophos UTM220 (EOL) to Meraki and want to map the configuration to the Meraki firewall 1:1 before putting it into operation.