Meraki

grebyn86

We recently moved all the company's perimeter devices to Meraki MX. All of our locations currently have one ISP into one of the MX's WAN ports, then one of the MX's LAN ports into a Cisco, non-Meraki, switch inside our perimeter. Example;

We are looking into adding a second "backup" ISP circuit and a second Meraki MX at each location for; warm spare, high availability, failover, or whatever it is called, and could use some help with the architecture.

This is the architecture we initially came up with based on various articles, forums, ext... we found online.

As a starting point, is this architecture correct? If not, what do we need to change?

Assuming the first architecture is correct, we also came up with this architecture, which removes the MS hardware outside the perimeter. If this architecture is functionally correct, is it a secure risk to have the switch stack inside and outside the perimeter at the same time?

Thanks everyone in advance for your input and assistance.

RWelch

@Ryan_Miles might have a slide deck to share with you on best (suggested) practices.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

Ryan_Miles

This past thread covers this topic. While using Meraki switches for WAN breakout works, be aware it's deemed "incorrect".

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

grebyn86

@Ryan_Miles

Looking over the past thread you linked, and the layer 3 topology article, I am still unsure what the correct topology is for two MXs and two ISPs? Is best practice to go ISPs directly into the MX, and if an MX fails, physically move the ISP cables into the second MX?

Ryan_Miles

Using breakout switch(es) for automatic failover would be ideal vs. relying on physically moving cables to restore service.

Now whether you do this with one switch, two switches, cloud managed switches, non cloud managed switches, dedicated switches, dual purpose "inside" switches like your #2 diagram shows, etc. you're never going to find one agreed upon design. People have their preferences and beliefs and you need to find the right solution to fit your requirements (cost, manageability, redundancy).

I will refrain from saying what I'd do and leave it to others here to offer their advice and experience on what's worked for them.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

grebyn86

@Ryan_Miles

From a security perspective, is having a dual purpose inside/outside switch(es) or Meraki MS switch(es) between the MXs and the ISPs, a concern? If so, I saw unmanaged switches mentioned to sit between the MXs and ISPs. Cisco CBS110-5T-D for example. Would unmanaged switches alleviate the security concern, or is the only secure way to have the ISPs go directly into the MXs?

KarstenI

I wrote a blog post some time ago summarizing the different options. Perhaps it helps:

https://cyber-fi.net/index.php/2024/02/19/connecting-your-meraki-mx-to-the-internet/

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

DarrenOC

Agree with a breakout switch upstream of the MXs to share the links between your MXs.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

Meraki

Community

MX warm spare (high availbility) + ISP failover architecture

MX warm spare (high availbility) + ISP failover architecture