Hi Meraki Community, I hope everyone is doing okay on this Monday. I would like your opinion \ help.
I have uploaded a basic network topology that has worked well up till now. However user base is growing and the office MX80 is starting to hit very high CPU and max out at times. I have been quoted for a MX84 as its replacement but I am not sure that this work for the long term which is why I reached out to ye guys.
Some points:
- Edge SW in place to extend ISP public IP range.
- 3 switches are not bonded and uplinks are over copper to the LAN interface of the MX
The 2nd point is my first concern. The MX84 will have a better CPU etc but the uplinks will still be 1GB. For a 10GB pipe, I would need to go for the MX250 which is outside budget.
Another concern is that the edge SW is a single point of failure and would require someone in the server room to bypass the SW - no automatic fail over.
Any suggestions would be appreciated.
What's your user count? What's your projected user growth in the next 2-3 years?
Are you asking the MX to route, or do you have an L3 switch and I'm misreading your diagram?
Hello Nash, thanks for getting back to me, very much appreciated.
User account will probably grow to 120 users. Up from around 70 that we have currently.
The MX, at present is doing the routing. The MS42P's L3 routing is currently disabled.
Let me know if you need any further info.
My biggest question is: If you have an L3 switch inside the network, why use the MX as your router?
Using an L3 switch would let you handle your east-west traffic without having to hit the firewall. Then you could setup link aggregation and increase throughput on a local level, assuming you have the ports.
Regarding MX as routers:
MX really aren't intended to be used as routers, even though they can do it some. It makes them unhappy and eats a lot of resources.
I'd probably do you an MX100. You could SD-WAN your two ISPs for ~300 Mbps. An 84's WANs only do 320 Mbps in ideal circumstances. A 100 will do up to ~650 Mbps.
Hi Nash, thanks for your response, some really good information to take on-board.
Regarding not using the switches for L3 traffic, we don't have that much internal traffic, most platforms that clients access are SaaS based, so internal traffic would be low on the switch level.
I should have said , that the test networks left and right don't hit the office MX80 and are separated. Would that change your mind regarding the L3 switch in your opinion?
That makes sense regarding the MX100 - thank your for that. Definitely worth upgrading to the MX100 over the MX84 so.
@jamesoc wrote:Hi Nash, thanks for your response, some really good information to take on-board.
Regarding not using the switches for L3 traffic, we don't have that much internal traffic, most platforms that clients access are SaaS based, so internal traffic would be low on the switch level.
I should have said , that the test networks left and right don't hit the office MX80 and are separated. Would that change your mind regarding the L3 switch in your opinion?
That makes sense regarding the MX100 - thank your for that. Definitely worth upgrading to the MX100 over the MX84 so.
I was leaving those test networks out of my thoughts, yeah. 🙂
I don't think a low amount of east/west traffic really changes my mind. If you can move that traffic elsewhere onto a device designed to route, it offloads some strain from the firewall.
But regardless, I'd still probably look into an MX100. An 84 is a big improvement on an 80, but you might as well consider both larger sizes. Especially on the WAN bandwidth front.
Yeah I'm with @Nash . MX84 is an upgrade from an MX80, it'll have about double the performance. MX100 will be even better if your budget permits that. MX250 will likely be overkill, gigabit links should be enough for you. Once you're upgrading your ISP's uplinks you should start thinking about MX250.
More info in the sizing guide:
https://meraki.cisco.com/lib/pdf/meraki_whitepaper_mx_sizing_guide.pdf
Now regarding the single point of failure of the switch, rather than reinventing the wheel I'd like to link you to a community post that talked about this specific topic very broadly:
https://community.meraki.com/t5/Security-SD-WAN/Splitting-dual-WAN-links/td-p/57859