2 MX250 HA Pair Long Distance

SOLVED
Atags
Getting noticed

2 MX250 HA Pair Long Distance

Hi,

Can you setup a HA pair with (2) MX250 Firewalls long distance? We have 2 WAN circuits coming in from different sides of the building.

Do they have to be near each other to that? Or doesn't matter?

How would I go about this if distance is not an issue for HA?

Just have the HA be setup through a network switch?

 

 

Thank you

1 ACCEPTED SOLUTION
jdsilva
Kind of a big deal

Two MX in HA need to be layer 2 adjacent, and with as low as latency between them as possible. If you can meet those two conditions then you can place them wherever you like. 

 

But honestly, you're better off to just use a dedicated VLAN on your switching infrastructure to bring one of the WAN circuits across the building to where the MX pair is. 

View solution in original post

6 REPLIES 6
jdsilva
Kind of a big deal

Two MX in HA need to be layer 2 adjacent, and with as low as latency between them as possible. If you can meet those two conditions then you can place them wherever you like. 

 

But honestly, you're better off to just use a dedicated VLAN on your switching infrastructure to bring one of the WAN circuits across the building to where the MX pair is. 

View solution in original post

cmr
Kind of a big deal
Kind of a big deal

@Atags as the MX250 WAN ports are SFP+, I'd think you'd be best to run a fibre from the NTE to the MXs

Atags
Getting noticed

Thanks all for responding. 

Aaron_Wilson
A model citizen

Seems odd to have the two MXs at each ingress point, and not where things converge in an MDF, etc, where all the other distribution/switching gear is.

If you have a large campus, it's nice to have the network core split in different server rooms. That gives you redundancy on power, air, etc.

Hi Jim - Im interested in whether you implemented the stretched HA pair? We busy planning on the doing the same with our MX250's in addition to stretched L3 stack using 4x MS425. Any insights or lessons learnt would be appreciated.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels