MX warm spare (high availbility) + ISP failover architecture

grebyn86
New here

MX warm spare (high availbility) + ISP failover architecture

We recently moved all the company's perimeter devices to Meraki MX. All of our locations currently have one ISP into one of the MX's WAN ports, then one of the MX's LAN ports into a Cisco, non-Meraki, switch inside our perimeter. Example;

2024-12-27 Meraki HV O.png

 

We are looking into adding a second "backup" ISP circuit and a second Meraki MX at each location for; warm spare, high availability, failover, or whatever it is called, and could use some help with the architecture. 

 

This is the architecture we initially came up with based on various articles, forums, ext... we found online. 

2024-12-27 Meraki HV 1.png

As a starting point, is this architecture correct? If not, what do we need to change? 

 

Assuming the first architecture is correct, we also came up with this architecture, which removes the MS hardware outside the perimeter. If this architecture is functionally correct, is it a secure risk to have the switch stack inside and outside the perimeter at the same time? 

2024-12-27 Meraki HV 2.png

 

Thanks everyone in advance for your input and assistance. 

9 Replies 9
RWelch
Head in the Cloud

@Ryan_Miles might have a slide deck to share with you on best (suggested) practices.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Ryan_Miles
Meraki Employee
Meraki Employee

This past thread covers this topic. While using Meraki switches for WAN breakout works, be aware it's deemed "incorrect".

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
grebyn86
New here

@Ryan_Miles 

Looking over the past thread you linked, and the layer 3 topology article, I am still unsure what the correct topology is for two MXs and two ISPs? Is best practice to go ISPs directly into the MX, and if an MX fails, physically move the ISP cables into the second MX? 

Ryan_Miles
Meraki Employee
Meraki Employee

Using breakout switch(es) for automatic failover would be ideal vs. relying on physically moving cables to restore service.

 

Now whether you do this with one switch, two switches, cloud managed switches, non cloud managed switches, dedicated switches, dual purpose "inside" switches like your #2 diagram shows, etc. you're never going to find one agreed upon design. People have their preferences and beliefs and you need to find the right solution to fit your requirements (cost, manageability, redundancy).

 

I will refrain from saying what I'd do and leave it to others here to offer their advice and experience on what's worked for them.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
grebyn86
New here

@Ryan_Miles 

From a security perspective, is having a dual purpose inside/outside switch(es) or Meraki MS switch(es) between the MXs and the ISPs, a concern? If so, I saw unmanaged switches mentioned to sit between the MXs and ISPs. Cisco CBS110-5T-D for example. Would unmanaged switches alleviate the security concern, or is the only secure way to have the ISPs go directly into the MXs? 

cmr
Kind of a big deal
Kind of a big deal

@grebyn86 this is exactly why I use them, reduced security risk.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
KarstenI
Kind of a big deal
Kind of a big deal

I wrote a blog post some time ago summarizing the different options. Perhaps it helps:

https://cyber-fi.net/index.php/2024/02/19/connecting-your-meraki-mx-to-the-internet/

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
DarrenOC
Kind of a big deal
Kind of a big deal

Agree with a breakout switch upstream of the MXs to share the links between your MXs. 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
cmr
Kind of a big deal
Kind of a big deal

I always go with your first architecture, but replace the MS130s with unmanaged Cisco layer 2 switches.  Cheaper, simpler, can't be hacked and do the job.  At their price you can always have a spare onsite.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels