Sorry I'm still confused. Are both MX's (active and passive) not supposed to have unique ip addresses for the LAN?

We use static routes on our L3 switch.

Which article is more up to date?

this 

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

or this?

https://www.willette.works/mx-warm-spare/

Greetings @hmc250000!

What @DarrenOC is true!
HA configuration is quite straightforward and the doc you originally posted should do!

To your questions:

• "Where do we configure the VIP?" The VIP can only be configured on the WAN interfaces
• "Can we use private ip addresses?" Private address space can be used for your WAN interfaces including your VIP - likewise, these must be in the same subnet. So just make sure there is at least a /29 to accommodate the 3 address. A-WAN1/B-WAN1/VIP
• How would this work for the LAN?" Typically, we see, depending on the placement of the MXs and the gateways, the LAN ports configured as transit or management networks. There also needs to be communication between the LAN ports of each MX via a switch downstream in order to exchange VRRP heartbeats. The MX doesn't participate in STP, so it is best like Willette.Works' doc mentions to prune out your Mgmt/Heartbeat VLAN on a specific LAN port to prevent unintended BPDU flooding.

Hope that helps!

Hi Meraki Experts,

Greetings and hats-off for the forum replies. Appreciated!

We have a use-case to aggregate the ISP-1 and ISP-2 links in MX HA pair as per my attached design. Here we go for the physical connectivity for WAN and LAN using switches. I've following queries to get the response from you guys..

1) Should we manage to aggregate both ISPs in MX irrespective of MX hardware level failover?

2) Should we end-up landing into STP issues by having same Switch for both Uplink & Downlink?

You should really create a new post for this separate enquiry...

Leaving that aside - you use the term 'aggregate';  MX does not support link aggregation (802.3ad / LACP or similar).   With MX you provide a separate WAN (Internet) uplink to each of WAN1 and WAN2 ports and the MX can make use of both links simultaneously, by allocating different sessions to different links, based upon preference and performance criteria you configure.  so;   don't configure any link aggregation on your switches, for connection to the MXs.

Each of your MXs should be connected to both switches, on the LAN side, for resilience (your diagram shows only one such link per MX).  Note however that MX does not participate in spanning tree, but will forward STP BPDUs, to allow your switches to resolve the physical loops that will create.  So;  configure STP on the switches to match the desired topology (e.g. bridge priority).   

Provided you do this properly and use different VLANs for WAN1, WAN2 and LAN-side VLANs, you should not get into STP-related problems.

My apologies if this post confusing the earlier topic. However, let me reply for your queries to make 100% clear within us.

I agree with you that i meant "aggregate" as a term refers to utilize both the ISP links together in MX on account of load sharing. Of course i don't enable any LACP between switches and MX WAN interfaces.

Considering the shortage of switch ports, we would plan to use 1x LAN port/downlink per MX. I understand we are compromising the resiliency but still it's OK to move on i believe. As a caveat, this would be a single point of failure for LAN/VRRP communications that i understand... 

In conclusion, should we proceed to deploy the MX HA architecture using mentioned topology? If yes, i hope we can get following results around this design...

1) Internet link load sharing by using both ISP links in MX

2) Internet link failover

3) MX failover

@Guruprakash_M you should be just fine with one LAN link per MX.  In fact, unless you are connecting the MXs to a switch stack I'd recommend one link over two.

Thank you for the reply mate!

Could you please confirm the below points as a conclusion of this query?

Should we proceed to deploy the MX HA architecture using the mentioned topology in Routed mode? If yes, i hope we can get following results around this design...

1) Internet link load sharing by using both ISP links in MX with /29 IP subnet each

2) Internet link failover

3) MX failover

@Guruprakash_M I personally would not use the same switch for internet splitting and LAN, though it should work as you have drawn it if you get the VLANs right.

We always use small unmanaged 5 port gigabit switches for the ISP splitting as they cost next to nothing and keep the design simple.

Thanks again mate.

Yes, we have planned for unique VLANs in respect to the ISP-1, ISP-2 and LAN connectivity for sure.

I totally agreed to have a separate switches for WAN and LAN termination however this is one of small branch site for customer. Still, we look forward to check the different switch in subject to the availability factor.

Sincerely, i thank you for the response on time. Highly appreciated for your dedication & efforts. 🙂

Just in case you still need a hand....

• WAN interfaces can either use only their dedicated WAN IP address (in routed/NAT mode), or you can create a virtual IP address that moves between the primary and standby MX when failover occurs
• LAN interfaces only have a single IP address that is configured on the primary MX. This IP address is passed to the standby MX when failover occurs (so you only need one IP address on the LAN for two MXs)
• VRRP messages only occur between the primary and secondary MX appliances on LAN interfaces - but they occur on all configured VLANs (be aware of this if you have multiple connections between the MXs)
• VRRP messages occur at Layer 2, hence why you don't need a separate IP address on each of the MXs on the LAN side (this is confusing for anyone who has used HSRP)

Thank you!. Now I get it.

LAN interfaces only have a single IP address that is configured on the primary MX. This IP address is passed to the standby MX when failover occurs (so you only need one IP address on the LAN for two MXs)