Meraki

Community

Dual MX and Dual ISP

leadtheway
Building a reputation
‎Jun 5 2021 9:26 AM
‎Jun 5 2021 9:26 AM

Dual MX and Dual ISP

Never deployed in this configuration before, I've done single MX with dual wan, Is there a specific way to setup these MX in either hot spare or true LB config?

 

Its two MX 100 and two different ISP 

0 Kudos
10 Replies 10
KarstenI
Kind of a big deal
Kind of a big deal
‎Jun 5 2021 9:32 AM
‎Jun 5 2021 9:32 AM

This is my typical setup. Most important is to have at least a /29 from both ISP so that both MXes can have an own IP on both ISPs subnets. Ideally you have also one spare IP as the virtual IP. The rest is pretty much straight forward.

0 Kudos
In response to KarstenI
leadtheway
Building a reputation
‎Jun 5 2021 9:50 AM
‎Jun 5 2021 9:50 AM

so do i need to create a DMZ of some sort for each ISP on one of the MS switches? Im having a hard time picturing the cabling

0 Kudos
In response to leadtheway
KarstenI
Kind of a big deal
Kind of a big deal
‎Jun 5 2021 10:03 AM
‎Jun 5 2021 10:03 AM

You should have two external switches for full redundancy. Here is a picture of my default-setup:

KarstenI_0-1622912368761.png

The external switches are typically Cisco Cat1000-10. Both MXes are connected to both external switches and the ISP-routers also go to both switches. The connection LAN3 on the MX to Gig9 on the switch is for the management of the external switches. This is a dedicated DMZ on the MX.

On the switches, Gig1-4 are VLAN A (ISP1) and Gig5-8 are VLAN B (ISP2). Gig9 is the management VLAN and Gig10 is a trunk.

In response to KarstenI
leadtheway
Building a reputation
‎Jun 5 2021 10:27 AM
‎Jun 5 2021 10:27 AM

got it, that helps, but we don't have extra switches at the moment, both ISP are single router handoff (ATT/Spectrum). Is there a way to do this using an extra MS225?

0 Kudos
In response to leadtheway
Inderdeep
Kind of a big deal
Kind of a big deal
‎Jun 5 2021 10:57 AM
‎Jun 5 2021 10:57 AM

@leadtheway :Below guide will help you out. Use load balancing and make backup for each other.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Load_Balancing_and_Flow_Preferen... 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
In response to Inderdeep
leadtheway
Building a reputation
‎Jun 5 2021 11:07 AM
‎Jun 5 2021 11:07 AM

yeah I understand that for load balancing the Wan connections, I also want to make the MX fully redunant

0 Kudos
In response to leadtheway
Inderdeep
Kind of a big deal
Kind of a big deal
‎Jun 5 2021 12:20 PM
‎Jun 5 2021 12:20 PM

@leadtheway : yes you can still do that redundancy. Let suppose x amount of traffic is passing through wan1 and y amount of traffic via wan 2, if wan 1 link down, the x amount of traffic failover to wan2 with y amount of traffic, similar vice versa.

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
0 Kudos
In response to leadtheway
KarstenI
Kind of a big deal
Kind of a big deal
‎Jun 5 2021 10:59 AM
‎Jun 5 2021 10:59 AM

Yes, but using a MS225 IMO is a waste of precious resources and with only one of them you still have a single point of failure. When using a Meraki-switch, just make sure that this external switch is in a different dashboard-network as the MXes.

0 Kudos
In response to KarstenI
leadtheway
Building a reputation
‎Jun 5 2021 11:08 AM
‎Jun 5 2021 11:08 AM

its an extra switch we aren't using. I just confirmed with ISP, one is a /30 and one is a /29 so not sure what I can even do now given your suggestions (which are awesome and will be used from now on)

0 Kudos
In response to leadtheway
KarstenI
Kind of a big deal
Kind of a big deal
‎Jun 5 2021 11:21 AM
‎Jun 5 2021 11:21 AM

With only a /30, you can not directly connect both MXes to that ISP. I would try hard to replace the /30 with a /29. There are other solutions for this scenario but all make the setup more complex and again you need additional equipment:

You could replace one of the switches with an extra router and terminate the ISP on that link. Between the MX and the Router you have a private transfer-network that gives you enough IPs for both firewalls. In this case the router does the NAT and has a static route to your internal network while the MX is configured to not do any NAT.

Another solution is to connect the ISP1 (with the /30)  only to your primary MX and ISP2 to both MXes. Here you only have full redundancy and both ISPs available on MX1, but that should not be a major problem.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.