Solved
2. Technically no. I don't see any issues with this, it's simply a matter of redundancy however. If that one switches goes down, the HA warm spare status won't function but at this point who cares because your entire network is down internally lol
3. You have to use the vIP solution if your using client-VPN. This is the only supported method
4. vIP will only work by having a /29 from your provider. The whitelisting should be done for the entire /29 in my opinion, not 'just' the vIP. Makes it easier.
2. Technically no. I don't see any issues with this, it's simply a matter of redundancy however. If that one switches goes down, the HA warm spare status won't function but at this point who cares because your entire network is down internally lol
3. You have to use the vIP solution if your using client-VPN. This is the only supported method
4. vIP will only work by having a /29 from your provider. The whitelisting should be done for the entire /29 in my opinion, not 'just' the vIP. Makes it easier.
Hey @BrandonS
- Nope, it is not good. Don't do it. Bad things can happen. Traffic may be blackholed, or other general instabilities (I had interesting STP TC's being generated leading to an unconverged network)
- Nope. You can use one switch. But then you have redundant MXes and a single MS... You have to decide how far you want to take redundancy.
- Use the Virtual IP feature on the WAN for this. Then clients always connect to the VIP which is on the active MX. Or, if you cannot use a VIP then use the DDNS built into the MXes. The current active primary DDNS name will always point to the active MX.
- That's correct. User's are NAT'ed to the VIP(s), so that's what need to be whitelisted by a *aaS provider.
@BrandonS wrote:Can someone help me clear up some doubts about how to configure this? I have read https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair
and also https://www.willette.works/mx-warm-spare/
1. Is it not good to connect the MX's directly to each other anymore? Do I need to care why?
2. Do I need 2 switches also? I prefer to have one switch only and only have HA for if one internet goes down or one MX fails. For this instance I am not concerned about 'core' switch failure.
3. How do I handle client VPN if one internet fails? Users need to know two different IP's to connect to potentially?
4. This customer uses public IP whitelisting to access some cloud services. I am not clear on the VIP configuration. I will have one VIP from each ISP that would need to be whitelisted by the service providers I guess?
Thanks for any help. I have been working with Meraki for some time, but not yet configured HA.
Thanks for the great replies! I think the last thing I am wondering is if I need to consider anything for my single switch. I can just plug LAN 1 on each MX into my single switch instead of the two like diagramed here? Or do I want a VLAN for the connectivity between MX also? That seems the same as a direct cable though..
And maybe I want an MS120-8 on the WAN side with two VLANs (one for each ISP between their handoff and the MX's). It looks like a need a total of 3 IP addresses from each ISP, right?
Going with number 1-4 on the diagram
Comcast: 1: 1.1.1.1, 3: 1.1.1.2
at&t: 2: 2.2.2.1 4: 2.2.2.2
Then also two VIPs like 1.1.1.3 and 2.2.2.3?
Thanks again.
For some reason I didn't realize that you had two ISP providers. Thought we were talking just one here.
If your only using 1 switch, then each MX should only have one connection (since they don't support LACP).
The diagram your showing is if you had two switches.
You don't need a specific VLAN for warm spare. By default the VRRP packets are sent out on all vlans.
Each ISP would need to give you 3 IP addresses (this is only done by giving you a /29)
As for the edge switch between your ISP and your MX, I believe this will be needed unless they are able to hand you 2 uplinks from their side for each ISP.
You can use your core switch for this too if you want. Via that diagram from https://www.willette.works/mx-warm-spare/
Keep in mind doing this now makes that switch a single point of failure.
As for the vIP, if you get a /29, you actually get 5 usable IP addresses. So you use two of them for each MX and then one for the vIP, entirely up to you.
As for your client-VPN, if ISP 1 goes down, even using the vIP, then I would imagine you lose your client-VPN even though ISP 2 is alive. Maybe @jdsilva knows if that DDNS he mentioned earlier solves this?
@NolanHerring wrote:
As for your client-VPN, if ISP 1 goes down, even using the vIP, then I would imagine you lose your client-VPN even though ISP 2 is alive. Maybe @jdsilva knows if that DDNS he mentioned earlier solves this?
Yup, it will follow.
Meraki went and changed how you configure DDNS in the last week or so... It used to tell you which name was which, but now it's just lists the 3 DDNS names you get without explaining what does what.
If you use the DDNS name I circled you will always point to the IP of the "current primary uplink", doesn't matter which uplink port, or which MX that is. It'll even change to the cellular IP if you have a USB cellular modem connected.
