i'm deploying the below architecture
the WAN failover is done correctly, but in LAN part :
if i unplung the port 3 of MX1, i'm facing a dual Master situation, i know that the recommandation of Meraki is to have this design :
but since there is no Agg-Port on the MX, i'm not really fan to deal with STP
my first question :
is it normal to have a dual master situation with this design? since on the documentation, Meraki is saying that we need to have at least one port downlink ?
In this architecture, the Primary and Secondary MXs are connected via a downstream switch stack. Each switch has at least one uplink to each MX. This ensures that there is no single point of failure in the topology.
my second question, what is the warm spare design that you are deploying in your environement ?
thanks in advance
Hi @Phantom-x , why have you digressed from the recommended design?
This is the way we’ve done all our HA implementations and we’ve had no issues. It just works.
I would go with this one. Just make sure STP is enabled then it would be super easy with a recommended setup. You only have to use two more ports on the MX's and MS's to accomplish this.
@Phantom-x with a physical stack of switches the STP seems to be reliable as in @Claes_Karlsson 's post, if you had a separate pair of switches then the option shown by @DarrenOC seems to be less troublesome. Having said that we have both options on our HA MX to Cisco 3850 stacks and neither have caused us any actual issues in over a year unless you reboot the whole stack and then the AutoVPN goes mad while the 3850s take ~15 minutes to reboot...
yes i agree with you all, but what i did not understand, why we dont have a kind of a port trancking on MX LANs to prevent to have split brain situation ?
What issue does this create?
If only one of them is connected to the LAN because of the failure - who cares if the other one goes into master mode as well?
The LAN will continue to be able to access things externally. AutoVPN will continue to work to the unit with the LAN connection still.
Agree with you if we look just for the outgoing traffic (From LAN to WAN)
but for the Back Traffic (WAN to LAN), if the Warm Spare is configured with Virtual IP for the NAT instead of Interface IP
i think it can lead to a network problems
Do you need to use Virtual IP? If not - just turn it off.
Yeah need it, i will explain why
when i use Virutal IP instead of Physical interfaces, in case of MX1 Failure the IP SEC does not need to be established again and the failover is quit smooth
Are you referring to AutoVPN? The failover without using virtual IP is only about 30s ...
yes exactly AUTOVPN, agree but in some case 30s can be a problem
if the MX cluster for example is used as VPN concentrator
>if the MX cluster for example is used as VPN concentrator
Then it would only have a single wired connection to the network. Consequently, you can't end up with a master/master situation. It's either online or not with a single cable.
sorry, VPN Hub 🙂 because i'm using my hub routed mode instead of Concetrator Mode