Fail over Mechanism between 2 MX and 2 Palo Alto

Solved
Senan_Rogers
Getting noticed

Fail over Mechanism between 2 MX and 2 Palo Alto

Hello Guys,

 

I want to get your opinion on a case I have it below and want to know the best scenario/Practice for the design.

 

Problem description:-

What is the Best Mechanism to trigger the failover between Palo alto and Meraki MX. What i meant, when Palo alto 1` is down, how the MX1 will know that Palo alto 1 is down and he needs to communicate with palo alto alto #2.

 

Any Suggestion?

 

Senan_Rogers_1-1591967283433.png

 

1 Accepted Solution
Senan_Rogers
Getting noticed

Hello Guys,

 

Thank you for all your reply.  

 

I have found a way on how to simplify the failover  Scenario below is a draft design for your reference.

 

Senan_Rogers_1-1592266040737.png

 

Again thank you.

View solution in original post

9 Replies 9
ww
Kind of a big deal
Kind of a big deal

I assume  pa2  takes over the Ip of pa1.(vrrp)

jdsilva
Kind of a big deal

What is the goal of this design? My initial answer is simply that you shouldn't do this as it doesn't add any value while greatly increases complexity, but let's hear the use case and go from there.

PhilipDAth
Kind of a big deal
Kind of a big deal

I'm with @jdsilva .  It looks like a terrible idea to me.  I can't imagine what the benefit of such a huge amount of complexity will be.

You can be pretty confident that engineering in so much complexity will result in an increased number of outages.

Senan_Rogers
Getting noticed

The Palo Alto  Firewall is a must and they have features that are not available with Meraki MX,  So we have to keep them and they are Managed by different organizations ( 3rd party), and the Meraki is managed by another Organization, So we have to keep them in parallel. 

 

I totally understand the design  is  complex  and I am in a situation I have to simplify the solution and keep both of them  MX/Palo Alto 

 

Please see below the Overall  Design. 

Senan_Rogers_1-1592070873039.png

 

 

 

So what I am asking is how to simplify the Failover Mechanism between two Different Vendors with the Above Design. 

 

Any Idea you can share it with me?

cmr
Kind of a big deal
Kind of a big deal

I don't see the issue, if you have two HA pairs that can't be in series, then what you have is what you need.  We've had a similar setup for years and never had any issues, it just works.

 

For those that need to know, we have HA pairs from two different vendors and run VPNs from both, traditionally one with the site to site and the other with the primary client VPN.  We did briefly have three HA pairs in parallel, but that was just too much 🤣

If my answer solves your problem please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal

What traffic do you want to go to what firewall cluster, and which is the primary firewall cluster (Palo Alto or Meraki)?

Senan_Rogers
Getting noticed

Hello Philip,

In the diagram, it shows the VOICE VLAN 200 will go to the MX only, and the AZURE VLAN will go to Palo Alto.

We will have one MX Primary and One PALO ALTO Primary.

cmr
Kind of a big deal
Kind of a big deal

I think the diagram is very confusing with the voice VLAN appearing to go to what I assume are the MXs and then not really anywhere.

 

You have Azure on a LAN interface on the Palo Altos and a WAN interface for unknown traffic.  As @PhilipDAth said, what are you trying to achieve,  why do you want the MXs, is it just for the voice traffic, and if so goes much voice traffic do you have that requires dedicated MX hardware?  We use Cisco ISRs for SIP trunk termination as they have hardware resources for transcoding etc.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Senan_Rogers
Getting noticed

Hello Guys,

 

Thank you for all your reply.  

 

I have found a way on how to simplify the failover  Scenario below is a draft design for your reference.

 

Senan_Rogers_1-1592266040737.png

 

Again thank you.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels