MX Warm Spare config

SOLVED
Jwiley78
Building a reputation

MX Warm Spare config

Been taking on a few bigger projects since one of our Network Engineers took a position with another company.  Not complaining, actually enjoying.  Learning a lot.

 

Project I have now is to swap a single MX80 with a setup of two MX100s in HA pair.

 

Questions I have:

I'm looking out laying out the IP addresses.  Currently only one ISP involved.  Am I correct that I need 4 public IPs for this setup?

One IP for WAN1 which will be the networks public IP

Two more Public IPs.  One for each port on the MX devices.

One for the Virtual IP that is shared between both MX devices.

 

Do the IPs for the ports and for the virtual IP need to be public IPs?

 

Thanks in advance for any help.  Didn't realize this was going to a HA setup until the hardware arrived today.

 

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

1 ACCEPTED SOLUTION
cmr
Kind of a big deal
Kind of a big deal

If you use 3 IPs, one for the virtual one that moves between the devices then you should be fine, there is minimal packet drop during this.  If you use only two IPs then they don't migrate and you will have issues for what you are trying to achieve.

View solution in original post

10 REPLIES 10
PhilipDAth
Kind of a big deal
Kind of a big deal

You need a minimum of 1 public IP for each MX - so two to make a workable config.

 

Ideally if you can get 3 public IPs in the same subnet then you can enable the "virtual IP" feature (which is shared by the MXs), but this is not a compulsory requirement.

jdsilva
Kind of a big deal

Hey @Jwiley78,

 

You need a minimum of 3, max of 4. 

 

  • One for the upstream gateway (likely your ISP, but not necessarily)
  • One for the physical WAN port of each MX (two total)
  • Optionally, one IP for the VIP

These don't need to be public, but they do need reachability to the Internet, and should all be in the same subnet. 

 

The physical WAN IP's are so each MX can maintain a connection to the Meraki Cloud. The optional VIP is used to provide stateful NAT failover. If you do not require statful NAT failover then you can omit this IP and just go with the IP for each physical WAN port. 

Jwiley78
Building a reputation

I need to ensure that if failover occurs that the public IP does not change due to some NAT configured on the devices.

 

Currently, I have 4 available public IPs but would like to figure out how to do it with as minimal as possible.  We will be rolling this out to other locations soon and I don't think I will have that many available IPs at all locations.

cmr
Kind of a big deal
Kind of a big deal

If you use 3 IPs, one for the virtual one that moves between the devices then you should be fine, there is minimal packet drop during this.  If you use only two IPs then they don't migrate and you will have issues for what you are trying to achieve.

Jwiley78
Building a reputation

Okay, it's been a crazy couple weeks with my other network engineer leaving the company.  I'm finally getting around to working on the HA failover setup.  I think I have it mostly done.  Quick question:

 

The WAN IP will be your public IP while on the network correct?  The VIP is just a failover IP.

 

I also realized since I only have 1 ISP right now it looks like I only need two public IP addresses. One for the shared IP and the WAN IP.

cmr
Kind of a big deal
Kind of a big deal

@Jwiley78  the virtual !P is the one you will appear to be coming from to the rest of the world.  The other two required IPs are one for each box and are used for failover management

Jwiley78
Building a reputation

Okay, so I had it backwards.  The virtual IP is the public one.  I also see now that I need to configure both MX devices with a WAN IP.

cmr
Kind of a big deal
Kind of a big deal

@Jwiley78 yes, perfect, and the great thing is that is all there really is to do, it just gets on with it after that 😀

Jwiley78
Building a reputation

Cool, so I think I have it configured.  One last thing.

 

So Comcast fiber will only give me one port on the modem to use.  I have two thoughts on this:

 

Get a unmanged Gbps swith to split it into two links so I can have an internet link on both MX devices.

 

Another would be to use the current switches and create a VLAN for this traffic and then back to the MX from there.

 

I think I like the first option mostly because it keeps the ISP link away from the interior network and seems less complex.

 

Thoughts?

cmr
Kind of a big deal
Kind of a big deal

Option 1 every time 😎

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels