Meraki

Community

MX85 HA Warm Spare Config design

Solved
JCA1
Here to help
‎Jul 24 2023 12:32 PM
‎Jul 24 2023 12:32 PM

MX85 HA Warm Spare Config design

Hi, I'd like to have some feedback to determine if this configuration is supported. We tried to implement this and had to rollback because we started seeing all kinds of problems in the network, dhcp, no intervlan traffic, etc. Any help would be appreciated. The breakout switch is an HP 3800, no svi in the switch. The fws are MX85. This is a single ISP link. We used the virtual ip option for the mx uplink.

 

Capture.PNG

 

 

Labels:
0 Kudos
1 Accepted Solution
cmr
Kind of a big deal
Kind of a big deal
‎Jul 25 2023 8:02 AM
‎Jul 25 2023 8:02 AM

Yes, as below:

cmr_0-1690297316709.png

 

If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

12 Replies 12
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 24 2023 12:41 PM
‎Jul 24 2023 12:41 PM

Warm spare with trunk port is really problematic, try configuring the LAN port to Drop Untagged Traffic.

 

alemabrahao_0-1690227648292.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
JCA1
Here to help
‎Jul 24 2023 12:53 PM
‎Jul 24 2023 12:53 PM

Thank you! I was under the impression that as long as the native vlan is not on the "allow" list, it will be dropped.

 

JCA1_0-1690228395306.png

 

0 Kudos
In response to JCA1
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 24 2023 12:56 PM
‎Jul 24 2023 12:56 PM

I still recommend you to apply this configuration for test.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
KarstenI
Kind of a big deal
Kind of a big deal
‎Jul 24 2023 1:13 PM
‎Jul 24 2023 1:13 PM

I would avoid this setup as much as I can. Or even more, I would refuse to implement it for a customer. In this setup, the switch has the potential to bypass the firewall. This is really bad practice.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
JCA1
Here to help
‎Jul 24 2023 2:51 PM
‎Jul 24 2023 2:51 PM

Thanks. How would you be able to bypass the firewall with the wan/core switch?

0 Kudos
In response to JCA1
KarstenI
Kind of a big deal
Kind of a big deal
‎Jul 25 2023 12:03 AM
‎Jul 25 2023 12:03 AM

  • Admin error, putting the wrong port into the wrong VLAN
  • switch crash and forwarding without config applied 
  • config lost due to any other reason

As @cmr writes, it is not worth it to save a couple of bucks. Although I prefer managed switches on the WAN side like Catalyst 1000 or CBS 350.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 24 2023 1:31 PM
‎Jul 24 2023 1:31 PM

That should work ok.  Was this the first power on of the MXs?  Perhaps they were still doing firmware upgrades.  What did the Dashboard show?

0 Kudos
In response to PhilipDAth
JCA1
Here to help
‎Jul 25 2023 8:03 AM
‎Jul 25 2023 8:03 AM

No, it wasn't the first power on. It was just that the traffic stopped hitting the meraki, dhcp problems, the core switch froze.

0 Kudos
cmr
Kind of a big deal
Kind of a big deal
‎Jul 24 2023 3:11 PM
‎Jul 24 2023 3:11 PM

Why would you want to do this?  We use cheap unmanaged 5-8 port L2 Cisco switches for the WAN and they have been performant and reliable for the last 4+ years.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
JCA1
Here to help
‎Jul 25 2023 7:59 AM
‎Jul 25 2023 7:59 AM

Well, they only have one ISP with one fiber handoff so they need a breakout switch, that breakout switch splits the internet connection. What do I need to change here to make it right? Keep the breakout switch but from the MX Lan ports go to a downstream LAN switch instead of going back to the breakout switch?

 

           ISP
              |
___WAN SWITCH___
|                                   |
MX1                          MX2
                  |
             LAN SW

0 Kudos
cmr
Kind of a big deal
Kind of a big deal
‎Jul 25 2023 8:02 AM
‎Jul 25 2023 8:02 AM

Yes, as below:

cmr_0-1690297316709.png

 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to cmr
JCA1
Here to help
‎Jul 25 2023 11:00 AM
‎Jul 25 2023 11:00 AM

Thank you!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.