MX LAN FAILOVER

Phantom-x
Here to help

MX LAN FAILOVER

Hello Team 

 

i'm deploying the below architecture 

 

 

Phantom-x_1-1601412375380.png

 

the WAN failover is done correctly, but in LAN part :

 

if i unplung the port 3 of MX1, i'm facing a dual Master situation, i know that the recommandation of Meraki is to have this design : 

 

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

 

but since there is no Agg-Port on the MX, i'm not really fan to deal with STP 

 

my first question : 

 

is it normal to have a dual master situation with this design? since on the documentation, Meraki is saying that we need to have at least one port downlink ? 

 

Fully Redundant (Switch Stack)

In this architecture, the Primary and Secondary MXs are connected via a downstream switch stack. Each switch has at least one uplink to each MX. This ensures that there is no single point of failure in the topology. 

 

 

my second question, what is the warm spare design that you are deploying in your environement ?

 

thanks in advance 

 
 

 

 

 

 
 

 

 

 

12 Replies 12
DarrenOC
Kind of a big deal
Kind of a big deal

Hi @Phantom-x , why have you digressed from the recommended design?  

This is the way we’ve done all our HA implementations and we’ve had no issues.  It just works.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Claes_Karlsson
Getting noticed

I would go with this one. Just make sure STP is enabled then it would be super easy with a recommended setup. You only have to use two more ports on the MX's and MS's to accomplish this.

Claes_Karlsson_0-1601469071720.png

 

cmr
Kind of a big deal
Kind of a big deal

@Phantom-x with a physical stack of switches the STP seems to be reliable as in @Claes_Karlsson 's post, if you had a separate pair of switches then the option shown by @DarrenOC seems to be less troublesome.  Having said that we have both options on our HA MX to Cisco 3850 stacks and neither have caused us any actual issues in over a year unless you reboot the whole stack and then the AutoVPN goes mad while the 3850s take ~15 minutes to reboot...

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Phantom-x
Here to help

Dear All 

 

yes i agree with you all, but what i did not understand, why we dont have a kind of a port trancking on MX LANs to prevent to have split brain situation ? 

PhilipDAth
Kind of a big deal
Kind of a big deal

What issue does this create?

 

If only one of them is connected to the LAN because of the failure - who cares if the other one goes into master mode as well?

The LAN will continue to be able to access things externally.  AutoVPN will continue to work to the unit with the LAN connection still.

Phantom-x
Here to help

Hello @PhilipDAth 

 

Agree with you if we look just for the outgoing traffic (From LAN to WAN)

 

but for the Back Traffic (WAN to LAN), if the Warm Spare is configured with Virtual IP for the NAT instead of Interface IP

 

i think it can lead to a network problems 

PhilipDAth
Kind of a big deal
Kind of a big deal

Do you need to use Virtual IP?  If not - just turn it off.

Phantom-x
Here to help

Yeah need it, i will explain why 

 

when i use Virutal IP instead of Physical interfaces, in case of MX1 Failure the IP SEC does not need to be established again and the failover is quit smooth 

 

 

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Are you referring to AutoVPN?  The failover without using virtual IP is only about 30s ...

Phantom-x
Here to help

yes exactly AUTOVPN, agree but in some case 30s can be a problem 

 

if the MX cluster for example is used as VPN concentrator 

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

>if the MX cluster for example is used as VPN concentrator 

 

Then it would only have a single wired connection to the network.  Consequently, you can't end up with a master/master situation.  It's either online or not with a single cable.

Phantom-x
Here to help

sorry, VPN Hub 🙂 because i'm using my hub routed mode instead of Concetrator Mode 

Get notified when there are additional replies to this discussion.