MX HA Mode with Public IP

Adeldardari
Here to help

MX HA Mode with Public IP

Hi, 

we are trying to get 2 x MX to be deployed in HA mode at a site. Issue is that service provider is only providing us a /30 peering IP Address with their NTU. We asked them support one of the following options :

  • To provide connectivity to both of our MXs, we may need an IP range with subnet mask of /29, which will provide the capacity to connect 6 hosts. This will eventually suffice our requirement to provide IP addresses to both of our MXs.

 

 

                                   

Adeldardari_0-1659421539686.png

 

 

 

Option2 : Providing extra port at NTU with a new IP range of /30

 

  • To provide connectivity to both of our MXs, we may need an extra port at NTU with a new IP range of /30, which will suffice our requirement to provide IP addresses to both of our MXs.

 

 

                        

Adeldardari_1-1659421539690.png

 

The problem is that the ISP came back and said they don't support any of the above options ( or won't support ) and that the only thing they can do is to provide us with /29 public IP addresses which we can statically route into our internal network. would this solution work ? if yes, how would you configure it ?

7 Replies 7
KarstenI
Kind of a big deal
Kind of a big deal

My first opinion is that this is the wrong ISP for your needs.

I never tested the setup as suggested with only MXes, but I assume that it will not work. The ISPs next hop can only be the first MX, and from there you have no route to the other MX.

It could be solved with an additional L3 device between the NTU and the MXes, but that is another single-point of failure.

Perhaps getting a second ISP connection with another /30 could be the best solution, at least if the ISP is not that expensive.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Ventsy
Here to help

I have this config in one of my sites

i have /29 from one of ISP's

You need 3 IP addresses to be able to work in HA

1 for MX1, one for MX2 and one to connect both MX's in HA (called Virtual IP)

Then you will use your Virtual IP as inbound and outbound connection

Screen Shot 2022-08-02 at 10.39.02.png

Screen Shot 2022-08-02 at 10.39.14.png

Adeldardari
Here to help

so how does it work? do you configured the virtual IP Address with the other IP's on the same VLAN ? I am trying to map the traffic flow logically , so my LAN traffic would have the V-IP as it's G/W and then V-IP will forward the traffic to the physical active interface with a real IP on it , and that interface would just reach to the PE router?

 

and what happen in the ingress packets coming from ISP ? 

 

Ventsy
Here to help

I used this document to config - https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

 

In short:

i have switch with vlans configured

vlan10 - ISP (ports 1,2,3)

vlan 20 LAN

on vlan 10 i put ISP media convertor or router (depend how is terminated) - port1
wan1 on MX1 is connected with cable to switch in vlan10 - port2
wan1 on MX2 is connected with cable to switch in vlan10 - port3

All IP addresses from ISP are in same subnet - both for MX's and virtual ip

Port 3 on the MX is connected to swich in vlan20 - internal network

Port3 also have vlan configured with gateway from internal network

PhilipDAth
Kind of a big deal
Kind of a big deal

I would be looking at using a different ISP.

 

Other options:

  • Ask the ISP if they can include a router (at a cost) with a 4 port switch that they can present the /29 on.
  • You buy a router with a 4 port switch.  It connects to the ISP via the /30 link, and presents the /29 on its switch ports.

In both cases, the router goes where the "WAN switch" is in your diagram.  I don't know how fast your Internet circuit is, but perhaps something like a Cisco C1111-4P or a Cisco C1111-8P (the 1111-8P will flat line a Gigabit circuit all day long).  The 4P has 4 LAN ports, the 8P has 8 LAN ports (and it is much faster).

https://www.cisco.com/c/en/us/products/collateral/routers/1000-series-integrated-services-routers-is... 

Adeldardari
Here to help

Thanks for the replies, yea I am aware of the L3 extra device that would be needed and the fact that comes with extra complexity. I was wondering if there is any other solution using a public IP assigned from ISP but i guess there isn't.

 

Moving forward, Introducing a 2nd ISP ( or a 2nd internet service ) was on table although we would end up with the fact that each MX would be tied to one service only.

Thinking about it, we actually have a Meraki LTE router (MG21) that comes with two LAN ports, a POE and None POE . The POE is currently connected to the primary MX as a secondary uplink, I will see if i can use the other port and connect it to the backup MX ( hopefully power won't be an issue - we don't have adapter so we are using the PoE port ). 

Adeldardari
Here to help

Just an update; service provider did not provide us /29. What we did was to utilize the 2nd 4G uplink (MG21) so that MX1 gets two uplinks ( fiber + 4G) , and MX2 ends up with 1 uplink (4G). We made sure that both MX1/MX2 are connected to a LAN switch with trunk ports for keep alive mechanism.

We dropped MX1 and failover worked. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels