Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX behind firewall and switch stack

ksumann
Getting noticed
‎Mar 19 2024 3:01 AM
‎Mar 19 2024 3:01 AM

MX behind firewall and switch stack

Hello everyone

 

our current setup looks like this:

FW -- Switch -- MX as Hub

 

Now we want to create a switch stack to keep everything up in case of a switch failure.

Additionally we have set manual NAT traversal for the MX.

Plan was to connect one WAN Port to one Switch of the stack.

 

So how can we achieve this?

- Its not possible to define an alternate NAT traversal port so we cannot define a second port forwarding (to the IP of WAN2) on the firewall

- Its not possible to share the same IP between WAN1 and WAN2

- Manually setting the same IP to WAN1 and WAN2, both connected to the stack, will give ip address conflict (obviously)

- Its not possible to use LACP with WAN1 and WAN2

0 Kudos
Subscribe
6 Replies 6
KarstenI
Kind of a big deal
Kind of a big deal
‎Mar 19 2024 3:26 AM
‎Mar 19 2024 3:26 AM

One concentrator on stack-member 1, one concentrator on stack member 2. Both MX running in warm spare mode.

0 Kudos
Subscribe
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 19 2024 5:45 AM
‎Mar 19 2024 5:45 AM

Refer the documentation.

 

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
ksumann
Getting noticed
‎Mar 19 2024 7:17 AM
‎Mar 19 2024 7:17 AM

So there is no way with only one MX?

[I agree that this is still a single point of failure]

0 Kudos
Subscribe
In response to ksumann
KarstenI
Kind of a big deal
Kind of a big deal
‎Mar 19 2024 7:38 AM
‎Mar 19 2024 7:38 AM

No:

Interface Configuration

The MX WAN appliance being configured as a one-armed VPN concentrator should be connected to the upstream datacenter infrastructure using its Internet port, or using the Internet 1 port on devices models with two Internet uplink ports.

0 Kudos
Subscribe
In response to KarstenI
ksumann
Getting noticed
a month ago
a month ago

I forgot to mention that it is configured in routed mode.

The idea was, if the primary switch fails, WAN1 would fail and thus going over WAN2 and Switch 2.

I guess it would work if there were no Port forwarding rule needed.

0 Kudos
Subscribe
In response to ksumann
KarstenI
Kind of a big deal
Kind of a big deal
a month ago
a month ago

This information is not that unimportant ...

There is also only one ISP on the firewall?

On the MX, you could use the same IP on both WANs, but it doesn't help as the firewall needs to differentiate both WAN ports. If you set them to different IPs, I would assume that it would work if the ISP firewall doesn't mess up the NAT. But that could be solved with two dedicated 1:1 translations on the firewall. 

Still, if a customer approached me with this design, I would think they wanted to kid me.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.