High Availability setup and design.

SOLVED
MRMunemo
Getting noticed

High Availability setup and design.

I have 3 sites on VPLs and would like to put Meraki firewalls and switches on all sites. I also need HA for the network ,please advise how the diagram and the setup would be like. Need to add another MX84 firewall for HA. What is the best firewall to use?See diagram below.

MRMunemo_0-1649948872133.png

 

1 ACCEPTED SOLUTION
GreenMan
Meraki Employee
Meraki Employee

If you have an existing MX84 and want to add a second device, running warm spare, you have to have a second MX84.   You cannot run warm spare between dissimilar MX models (this includes, for example, MX67 and MX67C).

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

 

If you are routing between your three sites (i.e. you have a different IP subnet or group of subnets per site) then you will have a challenge here, from using MS225 switches;  while they support IP routing at layer-3, they do not support a dynamic routing protocol such as OSPF, which is supported by MS250 and higher.  If this were a green-field deployment I'd recommend a pair of MS250 switches (at least) per site, with each operating as a stack and OSPF then running between the three stacks.   You'd then have a static default route on the Site 1 stack pointing at the Virtual IP address of the upstream MX warm spare pair.

If you are running the three sites as a flat subnet you would use Spanning Tree, with the Site 1 stack as the STP Root bridge.  You may need to check that the VPLS service will carry STP frames (BPDUs) to ensure this works properly.  This would, in principle, work with MS225.   Note that such a setup would block one of the links, meaning Site 2 <-> Site 3 traffic would hairpin via Site 1.
https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Spanning_Tree_Protocol_(STP)_Overvie...

View solution in original post

5 REPLIES 5
GreenMan
Meraki Employee
Meraki Employee

If you have an existing MX84 and want to add a second device, running warm spare, you have to have a second MX84.   You cannot run warm spare between dissimilar MX models (this includes, for example, MX67 and MX67C).

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

 

If you are routing between your three sites (i.e. you have a different IP subnet or group of subnets per site) then you will have a challenge here, from using MS225 switches;  while they support IP routing at layer-3, they do not support a dynamic routing protocol such as OSPF, which is supported by MS250 and higher.  If this were a green-field deployment I'd recommend a pair of MS250 switches (at least) per site, with each operating as a stack and OSPF then running between the three stacks.   You'd then have a static default route on the Site 1 stack pointing at the Virtual IP address of the upstream MX warm spare pair.

If you are running the three sites as a flat subnet you would use Spanning Tree, with the Site 1 stack as the STP Root bridge.  You may need to check that the VPLS service will carry STP frames (BPDUs) to ensure this works properly.  This would, in principle, work with MS225.   Note that such a setup would block one of the links, meaning Site 2 <-> Site 3 traffic would hairpin via Site 1.
https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Spanning_Tree_Protocol_(STP)_Overvie...

MRMunemo
Getting noticed

Thank you.I have 2xMx84 , 2x Ms 225 switches ,1xMs120.The ms120 is for site 3.

MRMunemo
Getting noticed

Does it work if i install a 2nd internet connection on site 1 and install the 2 MX84 firewalls on site 1?All sites are on one subnet.

 

MRMunemo
Getting noticed

Does it work if i install a 2nd internet connection on site 1 and install the 2 MX84 firewalls on site 1?All sites are on one subnet.

MRMunemo_0-1649963025579.png

 

PhilipDAth
Kind of a big deal
Kind of a big deal

This is possible - you just have to think differently.

 

The VPLS network itself has to be connected to the Internet - and you need to stop thinking of it as an internal private network.  Plugin any kind of NAT router to the ONT, and then the VPLS network will plug directly into this.  This device does nothing else but provide Internet access.  If you like, you could use an MX here, but not it will not carry internal traffic.

The VPLS network will no longer use your internal IP addressing (although it will use some kind of RFC1918 addressing) or connect to your internal network.

 

Now you are your own ISP, and the VPLS network "is" the Internet at each site.

 

Now you can plug an MX in at each site, just like how you would plug the MX into the Internet.  You can use the AutoVPN over MPLS design guide.

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS 

 

If you want, you can layer in additional Internet connectivity (including cellular) to provide either back up or primary Internet access.  You can also add an additional MX at each site, either plugged into VPLS or only plugged into a dedicated Internet circuit (in which case, it will only be used for failover).

 

Switching would be like it is now, internal and plugged in behind each MX.

 

 

Note that you will probably find it will be cheaper to buy an Internet tail at each site.  If this is the case, it will be much easier to simply do this, and then cut over to an AutoVPN based network running off the MXs, and then decommission the VPLS network.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels