Meraki

Community

MERAKI MX DEDICATE HA PORT CONNECTIVITY

Solved
MakaraMEAS
Getting noticed
‎Mar 18 2022 6:36 PM
‎Mar 18 2022 6:36 PM

MERAKI MX DEDICATE HA PORT CONNECTIVITY

Dear Community,

I would like to start this topic, cause I heard from local IT pro said we can connect port HA directly. I am not sure on this, can someone advise it is possible to have dedicate port connectivity port HA on Meraki MX in both NAT/ROUTE mode or VPN Concentrator? and how it works?

 

Thank you,
Makara(Mr.)

M.MAKARA
1 Accepted Solution
Ryan_Miles
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Mar 18 2022 7:33 PM
‎Mar 18 2022 7:33 PM

As the other person mentioned we recommend having the VRRP path(s) be over downstream switching links. It works fine with a direct MX to MX link, but there's really no advantage to doing it. VRRPs are sent on all VLANs so there's no concept of a dedicated "heartbeat" link or VLAN.

 

Also, if you had a “box” design of MX1 to MX2, MX1 to SW1, MX2 to SW2, and SW1 to SW2 you’d have path failover, but it would require more hops. For example, if the link between MX1 and SW1 failed presumably MX1 could still reach SW1 the long way through MX2 and SW2. Instead, if you connect each MX to each switch and the link between MX1 and SW1 fails it would only need to take the path to SW2 to reach SW1.

 

That is all for NAT routed mode MX.

 

For concentrator mode "1 arm mode" you only use the WAN 1 port on the MX and the VRRPs are sent on the shared VLAN connecting each MX (primary & spare) to the switching infrastructure. So, definitely no direct MX to MX link should be made in concentrator mode.

View solution in original post

9 Replies 9
Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Mar 18 2022 7:02 PM
‎Mar 18 2022 7:02 PM

This was the normal use for HA with Meraki but this has changed in the past couple of years. As you can see in this document, the recommended topologies are to let the VRRP heartbeat go through your switches and don't connect the MXs with each other.

 

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair#Recomme...

 

You may have a dedicated HA port between the MXs but that may cause a loop in the meraki stack. In my opinion,  the best way to implement Meraki HA is to use a switch stack downstream as demonstrated in the document above.

 

This Document explicitly  shows that you shouldn't connect the MXs with each other and let the switch downstream  forward VRRP packets:

 

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

In response to Make_IT_Simple
MakaraMEAS
Getting noticed
‎Mar 18 2022 8:50 PM
‎Mar 18 2022 8:50 PM

Thank you that what I found in docs. I don't know why that IT mention MX can dedicate HA port each other.

M.MAKARA
In response to MakaraMEAS
Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Mar 18 2022 8:55 PM
‎Mar 18 2022 8:55 PM

I would stay with what the documentation is saying, if you go outside that boundary it will not be supported. The MX will send VRRP heartbeats across all configured VLANs, so there is no actual benefit to having a dictated port. It would be great if meraki can make that happen but they should have a port only used for HA.

Inderdeep
Kind of a big deal
‎Mar 18 2022 7:27 PM
‎Mar 18 2022 7:27 PM

@MakaraMEAS " Apart from what @Make_IT_Simple  provides i would recommend you to study this below article 

https://www.willette.works/mx-warm-spare/ 

Cisco Awarded Blogs 2020/2021 https://www.thenetworkdna.com/
In response to Inderdeep
MakaraMEAS
Getting noticed
‎Mar 18 2022 8:54 PM
‎Mar 18 2022 8:54 PM

Thank you for your information, so there is no option to connect dedicate HA between MX.

M.MAKARA
Ryan_Miles
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Mar 18 2022 7:33 PM
‎Mar 18 2022 7:33 PM

As the other person mentioned we recommend having the VRRP path(s) be over downstream switching links. It works fine with a direct MX to MX link, but there's really no advantage to doing it. VRRPs are sent on all VLANs so there's no concept of a dedicated "heartbeat" link or VLAN.

 

Also, if you had a “box” design of MX1 to MX2, MX1 to SW1, MX2 to SW2, and SW1 to SW2 you’d have path failover, but it would require more hops. For example, if the link between MX1 and SW1 failed presumably MX1 could still reach SW1 the long way through MX2 and SW2. Instead, if you connect each MX to each switch and the link between MX1 and SW1 fails it would only need to take the path to SW2 to reach SW1.

 

That is all for NAT routed mode MX.

 

For concentrator mode "1 arm mode" you only use the WAN 1 port on the MX and the VRRPs are sent on the shared VLAN connecting each MX (primary & spare) to the switching infrastructure. So, definitely no direct MX to MX link should be made in concentrator mode.

In response to Ryan_Miles
MakaraMEAS
Getting noticed
‎Mar 18 2022 9:01 PM
‎Mar 18 2022 9:01 PM

Thank you so much, this is very clear and details. Really appreciate.

M.MAKARA
In response to MakaraMEAS
Inderdeep
Kind of a big deal
‎Mar 18 2022 9:12 PM
‎Mar 18 2022 9:12 PM

@MakaraMEAS : Hope all cleared now, Good Luck 

Cisco Awarded Blogs 2020/2021 https://www.thenetworkdna.com/
In response to Ryan_Miles
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 20 2022 11:56 AM
‎Mar 20 2022 11:56 AM

To build further on @Ryan_Miles response (all of which I agree with), I would advocate AGAINST using a dedicated VRRP link between the MXs.  This is because it creates a loop, and MX appliances are not spanning-tree aware.

 

This can result in intermittent outages because of spanning-tree failures.  It wouldn't be so bad if MX was spanning-tree aware.

li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.