How to merge Main MX85 Firewall and Spare firewall uplink and utilize both uplink at the same time?

ALEEF
New here

How to merge Main MX85 Firewall and Spare firewall uplink and utilize both uplink at the same time?

How to combine the uplinks of the primary MX85 firewall and the backup firewall to utilize both simultaneously for improved speed and data capacity. This setup should also ensure uninterrupted operation by keeping the firewall active if one uplink fails.

7 Replies 7
RWelch
A model citizen
RWelch
A model citizen

My apologies - I just re-read your Q and realized you were referring to two MX devices.  Wrong link shared above (dual wan vs dual MX).  Comprehension - some days are better than others (for me), sorry.

KarstenI
Kind of a big deal
Kind of a big deal

Just connect both firewalls to both uplinks, and the rest is in the link from @RWelch 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Brash
Kind of a big deal
Kind of a big deal

You either need:

  - Two physical links for each service as hand-off from your ISP. You then plug one into each firewall

  - To place a switch (or 2) upstream of the firewalls. You connect the ISP handoff and the firewalls to the switch and use VLAN's to 'connect' them.

espenvp
Getting noticed

Active-active and active-passive are two high-availability (HA) configurations for firewalls, each with its own advantages and disadvantages, however Meraki MX85 does not support active-active operation.

 

Active-Active operation does however have a few "caveats"...

 

Complexity: Active-active configurations are more complex to design and manage. Both firewalls are actively processing traffic, which requires advanced design concepts and additional configuration, such as activating networking protocols on both firewalls and replicating NAT pools.


Troubleshooting: It is significantly easier to troubleshoot routing and traffic flow issues in an active-passive setup. In active-active mode, both firewalls maintain their own session and routing tables, which can complicate troubleshooting efforts.


Layer 2 Deployment: Active-passive mode supports Layer 2 deployments, whereas active-active mode does not. This can limit the applicability of active-active configurations in certain network environments.

 

DHCP Support: In active-active mode, only the active-primary firewall can function as a DHCP Relay. If the active-secondary firewall receives DHCP broadcast packets, it drops them. This limitation does not exist in active-passive mode.


Load Balancing: Active-active configurations do not inherently load-balance traffic. While you can load-share by sending traffic to the peer, no true load balancing occurs. This can lead to inefficiencies in traffic management.


Cost and Resource Utilization: Active-active configurations can be more resource-intensive and costly, as both firewalls are actively processing traffic. In contrast, active-passive setups have one firewall in standby mode, which can be more cost-effective and simpler to manage.


Overall, active-passive configurations are often preferred for their simplicity, ease of troubleshooting, and lower resource requirements, making them suitable for many network environments.

-Espen
KarstenI
Kind of a big deal
Kind of a big deal

ChatGPT? The Answer doesn't really match the question ...

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
espenvp
Getting noticed

He is asking how to combine both uplinks on both primary and secondary firewall, how I understood it - that means an active-active mode of operation in addition to loadbalance the WAN1 and WAN2 port of the MX.

Active-active mode of operation is not supported by MX.


The bullets provided is sourced by the "internet" yes, more a list of arguments to why active-active mode of operations not always preferable and should be considered carefully, unfortunately chat-gpt was not involved in that process.

-Espen
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels