Meraki Community

Merakiuser50 · ‎Mar 12 2024

Hi we have a network setup like this:

ISP setup:

2 ISP uplinks for 2 Juniper firewalls.
We have been given 4 public ips to use.
There is a VRRP heartbeat configured between the Junipers.
They are setup as active/passive. ie if the primary Juniper fails, Secondary Juniper takes over and provides a redundant internet line.
Both lines are not active at the same time.

Our setup:

2 x mx75s, 2 x ms120s, 10x CW9164 aps.
There is redundancy between both switches and firewalls.

Here is our network diagram.

Meraki network.png

My question is do you need to have 2 active internet lines for the warm failover to occur? Would breakout switches between the MX75s and the 2 lines help here?

Think i read on another post that each MX must be able to reach the internet via its own internet line. The secondary MX cannot reach the internet through the primary MX. Is that correct? - this would explain why it won't show up in meraki dashboard.

Cheers in advance.

Joshua

ww · ‎Mar 12 2024

Both mx need to reach the internet. So both need to connect the active router.

It would be better to have two separed routers (not vrrp) with both own ip space.

And then connect both mx to both routers

Merakiuser50 · ‎Mar 15 2024

Thanks for the reply. This seems like the easiest and more cost effective option.

Marvin_ · ‎Mar 12 2024

Hi Joshua,

yes, you are right, both MX need their own active Internet connection. They don't sync their configuration over LAN.

Breakout switches between the MX75 and the Internet connections would solve your problem, with both Internet uplinks and both MX WAN 1 in the same VLAN.

With this setup you also would be able to use the virtual IP feature for seamless failover.

But make sure your internet switches are not creating any single point of failure.(For example, what happens if primary Juniper port 2 fails?)

Greetings,

Marvin

Merakiuser50 · ‎Mar 12 2024

Thanks for the reply Marvin. That's super helpful.

Ah so that confirms my suspicions. Does the breakout switch need to be a managed layer 3 switch for this to work? I did try using a dumb layer 2 switch but i think it started causing loops.

Marvin_ · ‎Mar 13 2024

Then I am unsure if I understood your ISP setup right.
Placing a dumb L2 swich between both MXes and the ISPs routers should not create loops. At least not on MX side, as the broadcast domains of the MX WAN ports are separated.

But placing a single switch between your network and the ISP is creating a single point of failure.

In my opinion, you could use two spanning tree capable L2 switches, to make this setup redundant.

The cabling could look like this:
Juniper 1 -> WAN-Switch 1
Juniper 2 -> WAN-Switch 1
Juniper 1 -> WAN-Switch 2
Juniper 2 -> WAN-Switch 2
WAN-Switch 1 -> MX 1
WAN-Switch 2 -> MX 2
WAN-Switch 1 -> WAN-Switch 2

Merakiuser50 · ‎Mar 15 2024

Yes, i think you're right Marvin. That also sounds like the most redundancy. Though i'm fairly certain it's going to cost more to purchase more switches than get our ISP to give us 2 active lines.

Meraki Community

MX75 Warm Failover without 2 active internet lines.

MX75 Warm Failover without 2 active internet lines.