Meraki

Community

MX warm spare (high availbility) + ISP failover architecture

grebyn86
Conversationalist
‎Dec 27 2024 7:03 AM
‎Dec 27 2024 7:03 AM

MX warm spare (high availbility) + ISP failover architecture

We recently moved all the company's perimeter devices to Meraki MX. All of our locations currently have one ISP into one of the MX's WAN ports, then one of the MX's LAN ports into a Cisco, non-Meraki, switch inside our perimeter. Example;

2024-12-27 Meraki HV O.png

 

We are looking into adding a second "backup" ISP circuit and a second Meraki MX at each location for; warm spare, high availability, failover, or whatever it is called, and could use some help with the architecture. 

 

This is the architecture we initially came up with based on various articles, forums, ext... we found online. 

2024-12-27 Meraki HV 1.png

As a starting point, is this architecture correct? If not, what do we need to change? 

 

Assuming the first architecture is correct, we also came up with this architecture, which removes the MS hardware outside the perimeter. If this architecture is functionally correct, is it a secure risk to have the switch stack inside and outside the perimeter at the same time? 

2024-12-27 Meraki HV 2.png

 

Thanks everyone in advance for your input and assistance. 

0 Kudos
10 Replies 10
RWelch
Head in the Cloud
Head in the Cloud
‎Dec 27 2024 7:53 AM
‎Dec 27 2024 7:53 AM

@Ryan_Miles might have a slide deck to share with you on best (suggested) practices.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
Ryan_Miles
Meraki Employee
Meraki Employee
‎Dec 27 2024 8:10 AM
‎Dec 27 2024 8:10 AM

This past thread covers this topic. While using Meraki switches for WAN breakout works, be aware it's deemed "incorrect".

grebyn86
Conversationalist
‎Dec 27 2024 8:58 AM
‎Dec 27 2024 8:58 AM

@Ryan_Miles 

Looking over the past thread you linked, and the layer 3 topology article, I am still unsure what the correct topology is for two MXs and two ISPs? Is best practice to go ISPs directly into the MX, and if an MX fails, physically move the ISP cables into the second MX? 

0 Kudos
In response to grebyn86
Ryan_Miles
Meraki Employee
Meraki Employee
‎Dec 27 2024 9:17 AM
‎Dec 27 2024 9:17 AM

Using breakout switch(es) for automatic failover would be ideal vs. relying on physically moving cables to restore service.

 

Now whether you do this with one switch, two switches, cloud managed switches, non cloud managed switches, dedicated switches, dual purpose "inside" switches like your #2 diagram shows, etc. you're never going to find one agreed upon design. People have their preferences and beliefs and you need to find the right solution to fit your requirements (cost, manageability, redundancy).

 

I will refrain from saying what I'd do and leave it to others here to offer their advice and experience on what's worked for them.

In response to Ryan_Miles
grebyn86
Conversationalist
‎Dec 27 2024 9:39 AM
‎Dec 27 2024 9:39 AM

@Ryan_Miles 

From a security perspective, is having a dual purpose inside/outside switch(es) or Meraki MS switch(es) between the MXs and the ISPs, a concern? If so, I saw unmanaged switches mentioned to sit between the MXs and ISPs. Cisco CBS110-5T-D for example. Would unmanaged switches alleviate the security concern, or is the only secure way to have the ISPs go directly into the MXs? 

In response to grebyn86
cmr
Kind of a big deal
Kind of a big deal
‎Dec 28 2024 11:23 AM
‎Dec 28 2024 11:23 AM

@grebyn86 this is exactly why I use them, reduced security risk.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
‎Dec 27 2024 9:39 AM
‎Dec 27 2024 9:39 AM

I wrote a blog post some time ago summarizing the different options. Perhaps it helps:

https://cyber-fi.net/index.php/2024/02/19/connecting-your-meraki-mx-to-the-internet/

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
DarrenOC
Kind of a big deal
Kind of a big deal
‎Dec 27 2024 11:45 PM
‎Dec 27 2024 11:45 PM

Agree with a breakout switch upstream of the MXs to share the links between your MXs. 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
cmr
Kind of a big deal
Kind of a big deal
‎Dec 28 2024 11:22 AM
‎Dec 28 2024 11:22 AM

I always go with your first architecture, but replace the MS130s with unmanaged Cisco layer 2 switches.  Cheaper, simpler, can't be hacked and do the job.  At their price you can always have a spare onsite.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
grebyn86
Conversationalist
‎Dec 30 2024 6:08 AM
‎Dec 30 2024 6:08 AM

Thanks everyone for the input. I believe this is the direction we're going. It will be at least a few days before we begin moving forward with this. So if anyone still has an opinion let me know. 

2024-12-30 Meraki HV 3.png

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.