Connect a MX250 HA to a MS425 Stack

Solved
buschtrommelXXL
Just browsing

Connect a MX250 HA to a MS425 Stack

How can i connect the MX250 HA to a MS425 Stack. I want to connect "Fully Redundant (Switch Stack)"

from each MS to each MX like in the documentations from Meraki. But how should be the configuration of the Ports. Because when i do that i get a loop and the whole network goes down.

To my configuration. We have two buldings. In every building is a MX, they are in HA. In every building is a MS configured and they connected together in a Stack.

At the moment it is connected as follows:

 

MX1 Port 26 -> MS1 Port 32

MX2 Port 26 -> MS2 Port 32

 

The Ports of the MX are configured as a Trunk with the VLAN´s i need and Dropped Untagged Traffic.

The Port on the MS are configured as a Trunk with the same VLAN´s and with STP deactivated.

 

When i now connect additional the Ports (with the same Port configuration)

 

MX1 Port 25 -> MS2 Port 31

MX2 Port 25 -> MS1 Port 31

 

The network goes down.

 

I hope this is understandable because my english is not the best 🙂

1 Accepted Solution
Bruce
Kind of a big deal

@buschtrommelXXL what you’ve been told is correct, RSTP should be enabled, and you don’t need loop guard, root guard, or any of those. 

I believe your problem lies here, “The Ports of the MX are configured as a Trunk with the VLAN´s i need and Dropped Untagged Traffic.” 

BPDUs, which make RSTP work and prevent loops, are sent untagged on a trunk, and so by setting the MX port to Drop Untagged Traffic you’ve effectively broken RSTP and so a loop is forming.

 

If you set a native VLAN on the trunks, like @Claes_Karlsson shows, then hopefully it should work.

View solution in original post

13 Replies 13
Claes_Karlsson
Getting noticed

Hi,

 

You have full documentation about the recommended setup here: https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

 

Looks like you missed this part:

 

  • Make sure STP is enabled on the downstream switching infrastructure, as a properly-configured HA topology will introduce a loop on the network.

Hope this help!

/CK

buschtrommelXXL
Just browsing

Thanks for the info. I know that. But I've searched a lot on this subject because i wanted to find out what option of stp is the right and than i found some topics in there are spoke that stp should be disbled.

Ok than that´s clear.

Can you give me a tip what option of stp is right? "Root Guard" or "Loop Guard" 

 

Thanks in advance!

Claes_Karlsson
Getting noticed

Don't use any STP Guard, you may use this configuration I believe.

 

Claes_Karlsson_0-1602830796714.png

 

buschtrommelXXL
Just browsing

Ok thanks a lot i will give it a try

 

BR
Sascha

buschtrommelXXL
Just browsing

Hi Claes,

i´ve tryed it last weekend and the network goes down again. Do i have to enable all VLANs or can i define only the VLAN´s i need. And at the moment i have configured the Ports on the MX with "Drop untagged Traffic". Can that be the reason?

Claes_Karlsson
Getting noticed

I would just allow all the VLANs on the links to keep it as simple as possible. I'm not sure but maybe the VRRP heart beats will traverse over the native VLAN (which is untagged by default).

 

Claes_Karlsson_0-1603095372369.png

 

/CK

 

Bruce
Kind of a big deal

@buschtrommelXXL what you’ve been told is correct, RSTP should be enabled, and you don’t need loop guard, root guard, or any of those. 

I believe your problem lies here, “The Ports of the MX are configured as a Trunk with the VLAN´s i need and Dropped Untagged Traffic.” 

BPDUs, which make RSTP work and prevent loops, are sent untagged on a trunk, and so by setting the MX port to Drop Untagged Traffic you’ve effectively broken RSTP and so a loop is forming.

 

If you set a native VLAN on the trunks, like @Claes_Karlsson shows, then hopefully it should work.

buschtrommelXXL
Just browsing

Hi Bruce,

 

thanks for the info. I will try it. Is it better to create a new VLAN for it with no devices in there or can i use an existing.

 

Thanks in advance!

Bruce
Kind of a big deal

Normal your native VLAN is just one of your VLANs - quite often it’s the Meraki management VLAN so that your devices can connect to the internet with any pre-configuration. But if you prefer to use just an empty VLAN you can do that too. Just remember to configure the same native VLAN on the switch end of the trunk too.

buschtrommelXXL
Just browsing

Hi Bruce,

thanks a lot. That was it. Now it works!

Can i ask you another Question?

When i have only meraki switches. Is it advisable to set the STP Guards between the Switch to Switch ports?

Thanks in advance!

Sascha 

Bruce
Kind of a big deal

@buschtrommelXXL Glad to hear you got it working.

 

Here are the guide lines for setting up the STP guard features:

 

  • BPDU Guard should be enabled on all end-user/server access ports to avoid rogue switch introduction in network
  • Loop Guard should be enabled on trunk ports that are connecting switches 
  • Root Guard should be enabled on ports connecting to switches outside of administrative control

These come from this document, https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

However, between the MX and MS devices I wouldn’t enable any of the STP guards since the MX doesn’t participate in STP, it just forwards any BPDUs it receives.

Syed
Here to help

basically not required to enable STP guard. Just enabling STP will prevent the loop

Syed
Here to help

Hi,

 

Just enable RSTP/STP on all uplink interfaces and connect the secondary uplink towards to MX

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels