MERAKI MX DEDICATE HA PORT CONNECTIVITY

SOLVED
MakaraMEAS
Getting noticed

MERAKI MX DEDICATE HA PORT CONNECTIVITY

Dear Community,

I would like to start this topic, cause I heard from local IT pro said we can connect port HA directly. I am not sure on this, can someone advise it is possible to have dedicate port connectivity port HA on Meraki MX in both NAT/ROUTE mode or VPN Concentrator? and how it works?

 

Thank you,
Makara(Mr.)

M.MAKARA
1 ACCEPTED SOLUTION
Ryan_Miles
Meraki Employee
Meraki Employee

As the other person mentioned we recommend having the VRRP path(s) be over downstream switching links. It works fine with a direct MX to MX link, but there's really no advantage to doing it. VRRPs are sent on all VLANs so there's no concept of a dedicated "heartbeat" link or VLAN.

 

Also, if you had a “box” design of MX1 to MX2, MX1 to SW1, MX2 to SW2, and SW1 to SW2 you’d have path failover, but it would require more hops. For example, if the link between MX1 and SW1 failed presumably MX1 could still reach SW1 the long way through MX2 and SW2. Instead, if you connect each MX to each switch and the link between MX1 and SW1 fails it would only need to take the path to SW2 to reach SW1.

 

That is all for NAT routed mode MX.

 

For concentrator mode "1 arm mode" you only use the WAN 1 port on the MX and the VRRPs are sent on the shared VLAN connecting each MX (primary & spare) to the switching infrastructure. So, definitely no direct MX to MX link should be made in concentrator mode.

View solution in original post

9 REPLIES 9
Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)

This was the normal use for HA with Meraki but this has changed in the past couple of years. As you can see in this document, the recommended topologies are to let the VRRP heartbeat go through your switches and don't connect the MXs with each other.

 

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair#Recomme...

 

You may have a dedicated HA port between the MXs but that may cause a loop in the meraki stack. In my opinion,  the best way to implement Meraki HA is to use a switch stack downstream as demonstrated in the document above.

 

This Document explicitly  shows that you shouldn't connect the MXs with each other and let the switch downstream  forward VRRP packets:

 

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

Thank you that what I found in docs. I don't know why that IT mention MX can dedicate HA port each other.

M.MAKARA
Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)

I would stay with what the documentation is saying, if you go outside that boundary it will not be supported. The MX will send VRRP heartbeats across all configured VLANs, so there is no actual benefit to having a dictated port. It would be great if meraki can make that happen but they should have a port only used for HA.

Inderdeep
Kind of a big deal
Kind of a big deal

@MakaraMEAS " Apart from what @Make_IT_Simple  provides i would recommend you to study this below article 

https://www.willette.works/mx-warm-spare/ 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com

Thank you for your information, so there is no option to connect dedicate HA between MX.

M.MAKARA
Ryan_Miles
Meraki Employee
Meraki Employee

As the other person mentioned we recommend having the VRRP path(s) be over downstream switching links. It works fine with a direct MX to MX link, but there's really no advantage to doing it. VRRPs are sent on all VLANs so there's no concept of a dedicated "heartbeat" link or VLAN.

 

Also, if you had a “box” design of MX1 to MX2, MX1 to SW1, MX2 to SW2, and SW1 to SW2 you’d have path failover, but it would require more hops. For example, if the link between MX1 and SW1 failed presumably MX1 could still reach SW1 the long way through MX2 and SW2. Instead, if you connect each MX to each switch and the link between MX1 and SW1 fails it would only need to take the path to SW2 to reach SW1.

 

That is all for NAT routed mode MX.

 

For concentrator mode "1 arm mode" you only use the WAN 1 port on the MX and the VRRPs are sent on the shared VLAN connecting each MX (primary & spare) to the switching infrastructure. So, definitely no direct MX to MX link should be made in concentrator mode.

Thank you so much, this is very clear and details. Really appreciate.

M.MAKARA

@MakaraMEAS : Hope all cleared now, Good Luck 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com

To build further on @Ryan_Miles response (all of which I agree with), I would advocate AGAINST using a dedicated VRRP link between the MXs.  This is because it creates a loop, and MX appliances are not spanning-tree aware.

 

This can result in intermittent outages because of spanning-tree failures.  It wouldn't be so bad if MX was spanning-tree aware.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels