MX HA Design

Solved
Anthonize
Conversationalist

MX HA Design

Hello, 

 

I know this topic had been talked over here a couple of times. But I really didn't get what technical reason behind it.

 

I have two MX250 , failover is connected via a passive P2P fiber connection, and its working and tried a couple of failover scenarios and it worked. 

 

According to Maraki, the best practice is,  MX Failover links must traverse through a switch or stack of switches. Cisco highly recommends for all their Faiovers to have P2P passive connection if applicable. So it will eliminate additional hop to troubleshoot.

 

I called Maraki Support this morning for something else and personnel said they don't even bother to troubleshoot HA pair issues if it's not followed by Meraki best practices.  

 

My questions are, 

 

1. Why Meraki is discouraging to have P2P for failover/heartbeat VRRP connection? What advantage do we have especially when it's working with passive connection? 

2. If switching infrastructure (as per Meraki) is not available, and passive P2P is not allowed what would be the next solution?

3. How to convince Meraki support personnel to think out the guide book and troubleshoot the issue? 

 

Thought of picking great minds here. 

 

Thanks in advance. 

 

1 Accepted Solution
jdsilva
Kind of a big deal

1. Why Meraki is discouraging to have P2P for failover/heartbeat VRRP connection? What advantage do we have especially when it's working with passive connection? 

 

You cannot specify a dedicated heartbeat link. There is not way to configure this. Simply putting it there does not make it so. 

 

You want VRRP to use the links your clients are using. By trying to short cut that you create the scenario where VRRP is working fune, but your clients are isolated and have no connectivity. If both the clients and VRRP use similar paths VRRP more accurately reflects your client's experiences. 

 

As well, because the MX's don't handle STP a link between them can cause unexpected STP topologies from your switches' perspectives.   

 

 

2. If switching infrastructure (as per Meraki) is not available, and passive P2P is not allowed what would be the next solution?

 

As in you have clients directly connected to a pair of HA MX's? Personally, I wouldn't do this. I'd rather have a single cheap dumb switch in the mix than directly connect clients to a pair of HA MX's. 

 

3. How to convince Meraki support personnel to think out the guide book and troubleshoot the issue? 

 

In this case you should change your topology. That's ultimately the right answer. Sorry to be the bearer of bad news. 

View solution in original post

4 Replies 4
jdsilva
Kind of a big deal

1. Why Meraki is discouraging to have P2P for failover/heartbeat VRRP connection? What advantage do we have especially when it's working with passive connection? 

 

You cannot specify a dedicated heartbeat link. There is not way to configure this. Simply putting it there does not make it so. 

 

You want VRRP to use the links your clients are using. By trying to short cut that you create the scenario where VRRP is working fune, but your clients are isolated and have no connectivity. If both the clients and VRRP use similar paths VRRP more accurately reflects your client's experiences. 

 

As well, because the MX's don't handle STP a link between them can cause unexpected STP topologies from your switches' perspectives.   

 

 

2. If switching infrastructure (as per Meraki) is not available, and passive P2P is not allowed what would be the next solution?

 

As in you have clients directly connected to a pair of HA MX's? Personally, I wouldn't do this. I'd rather have a single cheap dumb switch in the mix than directly connect clients to a pair of HA MX's. 

 

3. How to convince Meraki support personnel to think out the guide book and troubleshoot the issue? 

 

In this case you should change your topology. That's ultimately the right answer. Sorry to be the bearer of bad news. 

PhilipDAth
Kind of a big deal
Kind of a big deal

@jdsilva 's answer is excellent.  I would give him two kudos if I was allowed.

Anthonize
Conversationalist

I haven’t got any technical explanation other than same thing relating.

Non of the firewalls participate any STP,  But they still recommend a dedticated link. Only thing I can think of is, since heartbeats run on VRRP it might need some kind of fabric to pass IGMP.

 

If they required LAN due to avoid STP convergence issue , I would think there are other important things to worry about first.

 

 

 

cmr
Kind of a big deal
Kind of a big deal

@Anthonize many other non Meraki firewalls use a dedicated HA link (Cisco ASA, Sophos XG, Watchguard XTM etc.) but Meraki DOES NOT, so you need to use a client connected topology.  It isn't an extra switch, just the normal switch the clients are connected in to.

 

@PhilipDAth I gave @jdsilva a Kudo for you, but now I can't give one from me ☹️

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels