MX84 HA with "internal switch"

Xavier_o
Here to help

MX84 HA with "internal switch"

Hi, 

 

2 Meraki MX84 in HA mode.

2 ISP routers. 2nd ISP router gets the same IP if the first one fails so I cannot use WAN1 and WAN2 ports on MX

 

For both MX84 - ports 3,4,5 (all in VLAN 1000):

Port 3 - cable to ISP router 1

Port 4 - cable to ISP router 2

Port 5 - cable to same MX84 WAN1 port

MX84 port 9 and 10 (trunk allowing all but not VLAN1000) to MS stack.

 

Will it work? Can I use MX ports for this instead of MS for ISP HA?

Do I need to tag WAN port (VLAN1000) for this?

 

Pic for reference only:

Xavier_o_0-1641304354368.png

 

Thanks

 

 

4 Replies 4
KarstenI
Kind of a big deal
Kind of a big deal

The ISP-routers have to be connected to the WAN-ports. If there are two routers and only one (virtual) IP on them, then they are meant to provide redundancy and not load-sharing.

To connect both at the same time, you need a small switch that connects both routers and *one* WAN-port of both MXes.

You should not use the internal switch for this purpose. That is a really bad security practice (you would physically bypass your firewall) and the Meraki traffic-analysis wouldn't like it to see the same traffic twice.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Xavier_o
Here to help

Hi, 

 


@KarstenI wrote:

The ISP-routers have to be connected to the WAN-ports. If there are two routers and only one (virtual) IP on them, then they are meant to provide redundancy and not load-sharing.

They would be via "switch" inside MX. Physical cable Port 5 - to same MX84 WAN1 port

 

To connect both at the same time, you need a small switch that connects both routers and *one* WAN-port of both MXes.

This is exactly why I don't want to have any extra hardware, small switches (extra point of failure), instead use MX, so it could act as a switch.

 

You should not use the internal switch for this purpose. That is a really bad security practice (you would physically bypass your firewall) and the Meraki traffic-analysis wouldn't like it to see the same traffic twice.

Why would it bypass firewall? It would be on separete zone with 3 access ports within vlan1000, from LAN (all vlans but vlan1000) and directly (cable) connected to WAN port.

 

--------------

Simillar topic here:

Solved: Separate VLAN for WAN link - The Meraki Community

Just this time instead of using MS stack I would use MX itself.

 

Question is can/will MX understand and separate ports 3,4,5 (all in VLAN 1000): from the rest of the router, like creating different zone?

If it can why it cannot be used as a "stand alone" switch (build in into MX)

--------------


 

PhilipDAth
Kind of a big deal
Kind of a big deal

Yes, it will work.  I have done exactly this before.

Xavier_o
Here to help

It's just a matter of testing it I believe :). 

Thanks 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels