Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX Architecture with Dual WAN

tnath
New here
‎Jan 2 2024 6:49 AM
‎Jan 2 2024 6:49 AM

MX Architecture with Dual WAN

Hi Everyone,

 

I hope this message finds you well. This is my inaugural post, and I am seeking guidance on implementing a resilient network for a mini data center. Currently, we have one MX at the location connected to satellite sites via auto site-to-site VPN.

Below is the network diagram I've planned to implement, and I would appreciate feedback on its suitability for our requirements and any potential challenges.

 

  1. HW/ISP Resiliency

    • To ensure hardware and ISP resiliency, two MX devices will be deployed, each connecting to a different ISP.
    • Can both MX units function together to balance the load and provide High Availability (HA)? If so, how will the licensing work?

  2. Site-to-Site VPN

    • How would site-to-site VPN function when we have two MX devices?

  3. DHCP Service

    • With two MX units, how will the DHCP service work? What happens if the MX responsible for DHCP fails?

  4. VLAN Configuration

    • Do I need to create the same VLANs on both MX units and Layer 3 switches?

Understanding and Confirmation

  • If we have Layer 3 switches capable of inter-VLAN routing and the same VLANs configured on both the L3 switches and the Meraki MXs, is it accurate to state that traffic between different VLANs on the same switch generally doesn't need to traverse the Meraki MX devices?

  • Local VLAN Communication on L3 Switch - Traffic within the same VLAN on the L3 switch remains local, utilizing the Layer 3 functionality of the switch for routing between devices in different subnets/VLANs on the switch itself.

  • Inter-VLAN Routing on L3 Switch - If devices in different VLANs on the L3 switch need to communicate, the Layer 3 switch can internally route the traffic between VLANs without involving the Meraki MXs.

  • Internet-bound Traffic - When a device in one of the VLANs needs internet access, the Layer 3 switch routes the traffic to the Meraki MX, serving as the gateway. The MX handles NAT and forwards the traffic to the ISP.

I would greatly appreciate any insights, recommendations, or corrections you can provide.

 

 

 

 

MerakiDC_NetworkProposal.jpg

 

 

 

Labels:
0 Kudos
Subscribe
3 Replies 3
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jan 2 2024 7:04 AM
‎Jan 2 2024 7:04 AM

Hey there,
An MX HA pair is an active-passive pair of two identical devices.
You will require only 1 license for the pair.

 

It would be a much better idea to have both MX'es connect to both ISP's especially if you want to use the virtual WAN IP function.  You can use upstream switching to accomplish this.

 

All config happens in dashboard and will be applied to both.  Only the active MX will respond to DHCP messages.

 

If you can use a stack of L3 switches that would be even better because you cannot have static ECMP routes from your MX'es to downstream devices like L3 switches.

 

The recommended cabling setup is by connecting each MX to each L3 switch directly on the same VLAN.  No connections are required between the MX'es themselves.  And the link between the L3 switches should be a stack (physical or virtual(flexible)).

 

In case of non Meraki VPN's (VPN's from this MX to external partners) they will be made on the primary uplink if online and on the virtual IP if you use this feature.
In case of Meraki VPN's you can use both WAN's simultaneously to do SD-WAN uplinks to other locations that are also in your Meraki dashboard.  These will also use the virtual IP on each WAN of the active device.

 

The virtual IP will move to the spare device if the primary fails while both devices each have their own physical uplink IP.

 

InterVLAN switching will make it so that traffic does not reach the MX devices.  If you really want that you will need to not make an interface on the L3 switch and have the VLAN on the trunk between L3 switches and MX'es.

Subscribe
In response to GIdenJoe
tnath
New here
‎Jan 2 2024 8:21 AM
‎Jan 2 2024 8:21 AM

Thank you for prompt response.

 

Is it possible to use Active/Active MX Pair?

 

Satellite office uses Meraki MX. Do I need to create virtual IP or is it create automatically?

 

Do I need to create the same VLANs on Meraki dashboard and Layer 3 switches?

 

Could you please elaborate on your last statement?

"InterVLAN switching will make it so that traffic does not reach the MX devices. If you really want that you will need to not make an interface on the L3 switch and have the VLAN on the trunk between L3 switches and MX'es"

0 Kudos
Subscribe
In response to tnath
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jan 2 2024 12:15 PM
‎Jan 2 2024 12:15 PM

- The MX HA-pairs are always active-passive.  There is no active-active option.  You would need a second set of MX'es and good L3 switch routing to be able to achieve this.

- If you are terminating your VLAN's on the L3 switches and they are not Meraki switches then you will have to create the VLAN's there and have an uplink VLAN that exists between the L3 switches and the MX pair.  If they are Meraki L3 switches then you have to create the VLAN's in the routing and dhcp page in the switch section of dashboard.  You will also have a vlan on the mx pair that leads to the L3 switches and static routes leading to the VLANs via the next hop (l3 switches).  Because you cannot do ECMP ( = multiple times the same route with a different next hop) you will need your L3 switches to be one logical unit (stack).

- In smaller networks you could choose to not route on your L3 switches and just terminate all VLAN's on the MX which simplifies alot but makes it so that the MX routes all intervlan traffic too which can cause a larger load on the MX'es.  So this can only be done if your network only has one distribution block and you expect the majority of traffic to be north-south (from vlans to internet and back), not too much east-west (between vlans).

 

- The last point explains your final question a bit:
You can choose to route on your L3 switches between your VLAN's so you have line rate forwarding between VLAN's but less deep grained control between your VLAN's.

Or you can choose to route on your MX where you are limited to the forwarding speed of the MX model for all your traffic (north-south + east-west) but you have better firewall controls and the advantage of stateful rules.

 

Edit: I forgot to add the info about the virtual IP's.  So you can only use virtual IP if ISP router allows fixed IP's in those segments.  The virtual IP has to be defined for both WAN interfaces if you use 2 ISP's and has to be a different IP in than the physical IP's on both active and spare units.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.