Meraki

Community

Connect a MX250 HA to a MS425 Stack

Solved
buschtrommelXXL
Just browsing
‎Oct 15 2020 11:15 PM
‎Oct 15 2020 11:15 PM

Connect a MX250 HA to a MS425 Stack

How can i connect the MX250 HA to a MS425 Stack. I want to connect "Fully Redundant (Switch Stack)"

from each MS to each MX like in the documentations from Meraki. But how should be the configuration of the Ports. Because when i do that i get a loop and the whole network goes down.

To my configuration. We have two buldings. In every building is a MX, they are in HA. In every building is a MS configured and they connected together in a Stack.

At the moment it is connected as follows:

 

MX1 Port 26 -> MS1 Port 32

MX2 Port 26 -> MS2 Port 32

 

The Ports of the MX are configured as a Trunk with the VLAN´s i need and Dropped Untagged Traffic.

The Port on the MS are configured as a Trunk with the same VLAN´s and with STP deactivated.

 

When i now connect additional the Ports (with the same Port configuration)

 

MX1 Port 25 -> MS2 Port 31

MX2 Port 25 -> MS1 Port 31

 

The network goes down.

 

I hope this is understandable because my english is not the best 🙂

0 Kudos
1 Accepted Solution
In response to Claes_Karlsson
Bruce
Kind of a big deal
‎Oct 19 2020 1:48 AM
‎Oct 19 2020 1:48 AM

@buschtrommelXXL what you’ve been told is correct, RSTP should be enabled, and you don’t need loop guard, root guard, or any of those. 

I believe your problem lies here, “The Ports of the MX are configured as a Trunk with the VLAN´s i need and Dropped Untagged Traffic.” 

BPDUs, which make RSTP work and prevent loops, are sent untagged on a trunk, and so by setting the MX port to Drop Untagged Traffic you’ve effectively broken RSTP and so a loop is forming.

 

If you set a native VLAN on the trunks, like @Claes_Karlsson shows, then hopefully it should work.

View solution in original post

0 Kudos
13 Replies 13
Claes_Karlsson
Getting noticed
‎Oct 15 2020 11:32 PM
‎Oct 15 2020 11:32 PM

Hi,

 

You have full documentation about the recommended setup here: https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

 

Looks like you missed this part:

 

  • Make sure STP is enabled on the downstream switching infrastructure, as a properly-configured HA topology will introduce a loop on the network.

Hope this help!

/CK

0 Kudos
In response to Claes_Karlsson
buschtrommelXXL
Just browsing
‎Oct 15 2020 11:43 PM
‎Oct 15 2020 11:43 PM

Thanks for the info. I know that. But I've searched a lot on this subject because i wanted to find out what option of stp is the right and than i found some topics in there are spoke that stp should be disbled.

Ok than that´s clear.

Can you give me a tip what option of stp is right? "Root Guard" or "Loop Guard" 

 

Thanks in advance!

0 Kudos
In response to buschtrommelXXL
Claes_Karlsson
Getting noticed
‎Oct 15 2020 11:46 PM
‎Oct 15 2020 11:46 PM

Don't use any STP Guard, you may use this configuration I believe.

 

Claes_Karlsson_0-1602830796714.png

 

0 Kudos
In response to Claes_Karlsson
buschtrommelXXL
Just browsing
‎Oct 16 2020 12:10 AM
‎Oct 16 2020 12:10 AM

Ok thanks a lot i will give it a try

 

BR
Sascha

0 Kudos
In response to Claes_Karlsson
buschtrommelXXL
Just browsing
‎Oct 19 2020 12:31 AM
‎Oct 19 2020 12:31 AM

Hi Claes,

i´ve tryed it last weekend and the network goes down again. Do i have to enable all VLANs or can i define only the VLAN´s i need. And at the moment i have configured the Ports on the MX with "Drop untagged Traffic". Can that be the reason?

0 Kudos
In response to buschtrommelXXL
Claes_Karlsson
Getting noticed
‎Oct 19 2020 1:17 AM
‎Oct 19 2020 1:17 AM

I would just allow all the VLANs on the links to keep it as simple as possible. I'm not sure but maybe the VRRP heart beats will traverse over the native VLAN (which is untagged by default).

 

Claes_Karlsson_0-1603095372369.png

 

/CK

 

0 Kudos
In response to Claes_Karlsson
Bruce
Kind of a big deal
‎Oct 19 2020 1:48 AM
‎Oct 19 2020 1:48 AM

@buschtrommelXXL what you’ve been told is correct, RSTP should be enabled, and you don’t need loop guard, root guard, or any of those. 

I believe your problem lies here, “The Ports of the MX are configured as a Trunk with the VLAN´s i need and Dropped Untagged Traffic.” 

BPDUs, which make RSTP work and prevent loops, are sent untagged on a trunk, and so by setting the MX port to Drop Untagged Traffic you’ve effectively broken RSTP and so a loop is forming.

 

If you set a native VLAN on the trunks, like @Claes_Karlsson shows, then hopefully it should work.

0 Kudos
In response to Bruce
buschtrommelXXL
Just browsing
‎Oct 19 2020 2:17 AM
‎Oct 19 2020 2:17 AM

Hi Bruce,

 

thanks for the info. I will try it. Is it better to create a new VLAN for it with no devices in there or can i use an existing.

 

Thanks in advance!

0 Kudos
In response to buschtrommelXXL
Bruce
Kind of a big deal
‎Oct 19 2020 2:22 AM
‎Oct 19 2020 2:22 AM

Normal your native VLAN is just one of your VLANs - quite often it’s the Meraki management VLAN so that your devices can connect to the internet with any pre-configuration. But if you prefer to use just an empty VLAN you can do that too. Just remember to configure the same native VLAN on the switch end of the trunk too.

0 Kudos
In response to Bruce
buschtrommelXXL
Just browsing
‎Oct 19 2020 11:59 PM
‎Oct 19 2020 11:59 PM

Hi Bruce,

thanks a lot. That was it. Now it works!

Can i ask you another Question?

When i have only meraki switches. Is it advisable to set the STP Guards between the Switch to Switch ports?

Thanks in advance!

Sascha 

0 Kudos
In response to buschtrommelXXL
Bruce
Kind of a big deal
‎Oct 20 2020 1:09 AM
‎Oct 20 2020 1:09 AM

@buschtrommelXXL Glad to hear you got it working.

 

Here are the guide lines for setting up the STP guard features:

 

  • BPDU Guard should be enabled on all end-user/server access ports to avoid rogue switch introduction in network
  • Loop Guard should be enabled on trunk ports that are connecting switches 
  • Root Guard should be enabled on ports connecting to switches outside of administrative control

These come from this document, https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

However, between the MX and MS devices I wouldn’t enable any of the STP guards since the MX doesn’t participate in STP, it just forwards any BPDUs it receives.

0 Kudos
In response to buschtrommelXXL
Syed
Here to help
‎Oct 15 2020 11:51 PM
‎Oct 15 2020 11:51 PM

basically not required to enable STP guard. Just enabling STP will prevent the loop

0 Kudos
Syed
Here to help
‎Oct 15 2020 11:34 PM
‎Oct 15 2020 11:34 PM

Hi,

 

Just enable RSTP/STP on all uplink interfaces and connect the secondary uplink towards to MX

0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.