Adding MX250 Spare with one of two WAN interfaces

Solved
NetworkGuy123
Conversationalist

Adding MX250 Spare with one of two WAN interfaces

I have an issue where I need to add a warm spare to an existing MX-250 configuration. I tried adding the spare into the dashboard via a Public IP I configured from the local dashboard on the standby MX250 via a laptop, I then added the serial and chose "Use uplink ips"  into the primary dashboard and it pretty much blew up my whole SD-Wan network this past weekend. I removed the spare and got things happy again pretty easily, but I'm stumped as to why I can't add the warm spare in at this point.

The one caveat is that I don't have both WAN connections in the data center the standby was moved to only has one of the 2 WAN connections.  I have some questions after reading the willette documentation and Meraki...Assuming I can't use virtual IPs

 

  • They are both on the same hw/sw version (both mx250s)
  • They are both plugged into the same Layer 2 switch on the single ISP side (/27 so plenty of spare IPs, I can see both Public IPS / MACs on the internet switch as well), so on my primary MX I have 2 wan interfaces, but on the warm spare I'd only have one.
    They are plugged into switch 1 and switch 2 of my core switch in a VSS pair - same vlan so LAN connectivity should be OK.
  • Do I need to put a public IP on the spare MX - configured locally, and then add that in IP in via dashboard?
  • I can't find a way to put an inside IP on the spare MX250 via the local dashboard?
    Does VRRP handle the LAN side? Meaning I don't add an IP on the LAN interface of the spare MX250 at all?
  • Should I leave the LAN interface shutdown until it's added in via the Configure warm spare button? (like willette suggests)

Thanks

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

You can connect them directly.  Use a VLAN that does not exist anywhere else.  Make sure this VLAN is only exchanged between the two MX.

View solution in original post

9 Replies 9
cmr
Kind of a big deal
Kind of a big deal

Do I need to put a public IP on the spare MX - configured locally, and then add that in IP in via dashboard?

 

Configure IP before plugging in, also use virtual IP as you should have enough to share one between the MX pair.


I can't find a way to put an inside IP on the spare MX250 via the local dashboard?
Does VRRP handle the LAN side? Meaning I don't add an IP on the LAN interface of the spare MX250 at all?

 

The LAN interface shares the IP, it uses VRRP so you don't need to add an IP here.  Note if connecting to a switch stack or hsrp/vrrp pair, you should have one link from each MX to each switch.


Should I leave the LAN interface shutdown until it's added in via the Configure warm spare button? (like willette suggests)

 

Configure warm spare should be done before connecting the warm spare MX but ideally after upgrading it to the same firmware.  You can do this by adding it to a test network first, then removing that network and adding as warm-spare

NetworkGuy123
Conversationalist

If i only have 1 of the 2 ISPs available for the standby MX can I still use Virtual IPs from what I read I don't think I can.  I tried using virtual IP and it asks for 2 WAN IPs, so the wan setup on my primary will NOT match the secondary.  My standby will only be able to have one of the 2 wan connections (I can't stretch the other connection to this part of the building at the moment) 

cmr
Kind of a big deal
Kind of a big deal

On the second WAN if you have enough IP addresses, configure as a virtual and if possible do the initial setup where you have both connections and then move the warm spare to the new location.  We had no trouble with warm spares having one WAN down for several weeks while we got everything set up.

NetworkGuy123
Conversationalist

OK I don't think I have any more available on that block.  Wondering if I should buy another mx250 license and just fail over manually by creating another network for my HQ.

cmr
Kind of a big deal
Kind of a big deal

Or use a dedicated MX (any router) on the second link to create multiple IPs on its LAN side (the MX HA pair's WAN side)

PhilipDAth
Kind of a big deal
Kind of a big deal

I wont answer your questions directly as I see there is already quite a bit of feedback.

  • Each MX needs to have a unique IP on at least one of its WAN interfaces
  • You don't have to have both WAN interfaces of both MX connected.  Connecting just WAN1 on the spare MX is sufficient.
  • If you are not using "Virtual IP" (maybe you are only using the MX for AutoVPN mode) the two WAN interfaces don't even have to be connected to the same WAN circuit.  They could be using completely different ISPs.  But this config is not so common.
  • When adding the warm spare you would "normally" configure the IP for its WAN interface via the local status page and not the dashboard.  It is possible to do it via the dashboard but there are a lot more caveats.

 

NetworkGuy123
Conversationalist

Is it possible to connect the 2 MX's directly with a new vlan and  a /30 for the VRRP communication or is the recommended best practice to use a downstream switch?  I'm really only worried about hardware failure, and I'd like to be able to use the standby as the internet device, along with the site to site traffic. 

PhilipDAth
Kind of a big deal
Kind of a big deal

You can connect them directly.  Use a VLAN that does not exist anywhere else.  Make sure this VLAN is only exchanged between the two MX.

Guruprakash_M
Comes here often

Hi Philip,

 

As far as the Cisco Meraki documentation guidelines, the direct L2 link (VRRP/HA) between the MX design got retired it seems. Are we in a same page? If not, shall we proceed to interconnect a dedicated layer-2 link for MX heartbeat link?

 

Also, can we use the MX WAN interfaces (/29 IP subnet & same broadcast domain) to have VRRP heartbeat communication for define the failover provided the MXs are deployed in routed mode.

 

If you could reply for this query, it would really great for our requirement. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels