- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MX LAN FAILOVER
Hello Team
i'm deploying the below architecture
the WAN failover is done correctly, but in LAN part :
if i unplung the port 3 of MX1, i'm facing a dual Master situation, i know that the recommandation of Meraki is to have this design :
https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair
but since there is no Agg-Port on the MX, i'm not really fan to deal with STP
my first question :
is it normal to have a dual master situation with this design? since on the documentation, Meraki is saying that we need to have at least one port downlink ?
Fully Redundant (Switch Stack)
In this architecture, the Primary and Secondary MXs are connected via a downstream switch stack. Each switch has at least one uplink to each MX. This ensures that there is no single point of failure in the topology.
my second question, what is the warm spare design that you are deploying in your environement ?
thanks in advance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Phantom-x , why have you digressed from the recommended design?
This is the way we’ve done all our HA implementations and we’ve had no issues. It just works.
https://www.linkedin.com/in/darrenoconnor/
I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would go with this one. Just make sure STP is enabled then it would be super easy with a recommended setup. You only have to use two more ports on the MX's and MS's to accomplish this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Phantom-x with a physical stack of switches the STP seems to be reliable as in @Claes_Karlsson 's post, if you had a separate pair of switches then the option shown by @DarrenOC seems to be less troublesome. Having said that we have both options on our HA MX to Cisco 3850 stacks and neither have caused us any actual issues in over a year unless you reboot the whole stack and then the AutoVPN goes mad while the 3850s take ~15 minutes to reboot...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear All
yes i agree with you all, but what i did not understand, why we dont have a kind of a port trancking on MX LANs to prevent to have split brain situation ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What issue does this create?
If only one of them is connected to the LAN because of the failure - who cares if the other one goes into master mode as well?
The LAN will continue to be able to access things externally. AutoVPN will continue to work to the unit with the LAN connection still.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @PhilipDAth
Agree with you if we look just for the outgoing traffic (From LAN to WAN)
but for the Back Traffic (WAN to LAN), if the Warm Spare is configured with Virtual IP for the NAT instead of Interface IP
i think it can lead to a network problems
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you need to use Virtual IP? If not - just turn it off.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah need it, i will explain why
when i use Virutal IP instead of Physical interfaces, in case of MX1 Failure the IP SEC does not need to be established again and the failover is quit smooth
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you referring to AutoVPN? The failover without using virtual IP is only about 30s ...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes exactly AUTOVPN, agree but in some case 30s can be a problem
if the MX cluster for example is used as VPN concentrator
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
>if the MX cluster for example is used as VPN concentrator
Then it would only have a single wired connection to the network. Consequently, you can't end up with a master/master situation. It's either online or not with a single cable.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry, VPN Hub 🙂 because i'm using my hub routed mode instead of Concetrator Mode