MX HA and WAN Failover

Sleiman
Here to help

MX HA and WAN Failover

Hello, i’m deploying 2 MX45’s in a active standby (warm spare) setup and would like some guidance. 

the MX’s will connect to an MS where the ISPs also connect via L2 VLANs

We have 2 internet providers so I’ll be using WAN1-2. 

the LAN interface will also connect to the MS on the transit vlan.

1-how many IPs are needed for the LAN and WAN interfaces to setup HA?

 

2-Can I configure 2 static default routes and failover between the circuits if one ISP failed? What should I configure here to achieve redundancy?

 

Thanks

 

 

8 Replies 8
AjitKumar
Head in the Cloud

Hi @Sleiman 

 

I understand we need more information about your Idea. May be a diagram will help.

However,

Question 1. We shall be needing 3 IPs from the same subnet for HA (2 for Physical Devices 1 Virtual IP Acting as the SPOC)

 

Question 2. Fail-over is Automatic. We need not do any configuration to achieve this.

 

If you prefer, you may read the following blog to understand a little more on connectivity to achieve HA on Meraki MX

https://www.ciscomerakiindia.com/post/mx-warm-spare-ha-pair

 

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network
PhilipDAth
Kind of a big deal
Kind of a big deal

Generally you need a minimum of a /29.

 

The MX monitors the WAN circuits for failure.  You should not need to configure any routing.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failo... 

GIdenJoe
Kind of a big deal
Kind of a big deal

You should also use 2 MS switches to redundantly connect your 2 ISP's.  These can be the same switches you use to connect the LAN side of your MX'es to your network.

But be sure to follow the documentation here:

Define 3 ports on switch 1 with an external VLAN for the WAN1 circuit towards both MX'es
Define 3 ports on switch 2 with another external VLAN for WAN2 circuit towards both MX'es.

So now you only have fate sharing between one ISP and one switch.
Don't mix your external VLANs between the switches or you'll have fate sharing between ISP and MX and switch.

3DA089D4-2B13-4AC2-8690-61C542AF8554.jpeg

It’s actually a stack of 3 switches and that’s how I pretty much got them connected. What about the LAN interfaces? Is one shared IP is enough? Heres a diagram.

cmr
Kind of a big deal
Kind of a big deal

On the LAN side, the MXs do indeed share one IP address and it is held by the VRRP master.

Thanks guys. I'm clear now. I want to ask you one more questions about wireless guest authentication via QR code. Is that something doable? If so can you provide me with a configuration guide and or limitations and licensing needs? Thanks 

PhilipDAth
Kind of a big deal
Kind of a big deal

You can't do QR code authentication for guest access using what is built-in.  You need to use a third-party service like Splash Access.

https://www.splashaccess.com/portfolio-item/cisco-meraki-nfc-and-qr-code-authentication/ 

Thanks for all your answers. We will be turning this up tomorrow. Internet circuits are not in yet so we will be installing a  temp MG21 to get us going. 

 

How can I get get this setup? 

 

Connect the MR21 1st port to the MS to get it powered via POE

Connect the MR21 2nd port to the MX wan1 port 

 

once the DIAs are in move the MX WAN ports to the MS corresponding vlans? 

 

Will this work to get the devices registered with Dashboard? 

Get notified when there are additional replies to this discussion.