Active Active MX105

Solved
Justin_B
Conversationalist

Active Active MX105

I would like to do Active/Active on two MX105 units.

 

Currently I have only one unit configured and it is running 192.168.9.0/29 with a Palo Alto having .1 and the Meraki having .6.

 

It has a friendly 1:1 NAT to the Internet assigned a Public IP, and both it and the firewall are doing BGP on our WAN Vsys.

 

The FW has a different BGP AS number.

 

***

 

My understanding is that I just need to do iBGP, so because our Meraki units should just be the same ASs 64512.

 

 

Can someone confirm if that should work?  I will just make another private subnet and 1:1 Public NAT for the other Meraki, so both can reach the cloud.

1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal

Asuming you place them both in seperate network. You need for the new mx also a license. 

 

You would use ebgp to bgp neighbor. Just the same as mx1.

 

Meraki uses ibgp inside the vpn, you dont need to config this

View solution in original post

4 Replies 4
DarrenOC
Kind of a big deal
Kind of a big deal

Active / Active isn’t possible with Meraki Mx only Active / Standby

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
ww
Kind of a big deal
Kind of a big deal

Asuming you place them both in seperate network. You need for the new mx also a license. 

 

You would use ebgp to bgp neighbor. Just the same as mx1.

 

Meraki uses ibgp inside the vpn, you dont need to config this

Justin_B
Conversationalist

This worked perfect.  I created a separate VLAN to carry MX2 to the same HA Active/Passive Pair of Palo Alto 5420 firewalls.  What I did was add another VLAN on the firewall rack switch, which is Layer-2 to the core (Layer-3).  Anyway the two switches are Cisco 9500-48Y4C in StackWise Virtual, and an LACP link to each firewall is created for redundancy already.

I added the new VLAN and carried the firewall to the other MX #2 on the other 9500 chassis because MX units don't do LACP, so I have one per switch.  Ultimately two separate VLANS for two separate MX units.  Each MX has a separate /29 subnet too in case I ever want to add VRRP (unlikely).  The Layer-3 is that I use an IP at one end on an interface on the firewall and the other end on the Meraki.  The FW interface is  ae3.1898 and ae3.1899 of course carried by those two VLANS LACP to the switch stack that then delivers them via one link to each MX.

I crated one (1) BGP Peer group on the PA then added a second Meraki simply as another peer.  Both of the Meraki units have the same AS as each other and the firewall has a different AS.

 

This Meraki setup is active/active and it is working perfectly.  I can change the preferred SD-WAN Hub order in the Meraki cloud, and it updates the firewall using BGP prepending.  My Meraki setup is 64512, so the less preferred hub becomes 64512, 64512

 

 

image.png

PhilipDAth
Kind of a big deal
Kind of a big deal

Only when being used for an AutoVPN concentrator.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels