cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX85 HA Warm Spare Config design

SOLVED
Go to solution
JCA1
Here to help
‎07-24-2023 12:32 PM
‎07-24-2023 12:32 PM

MX85 HA Warm Spare Config design

Hi, I'd like to have some feedback to determine if this configuration is supported. We tried to implement this and had to rollback because we started seeing all kinds of problems in the network, dhcp, no intervlan traffic, etc. Any help would be appreciated. The breakout switch is an HP 3800, no svi in the switch. The fws are MX85. This is a single ISP link. We used the virtual ip option for the mx uplink.

 

Capture.PNG

 

 

Labels:
0 Kudos
Subscribe
1 ACCEPTED SOLUTION
cmr
Kind of a big deal
Kind of a big deal
‎07-25-2023 08:02 AM
‎07-25-2023 08:02 AM

Yes, as below:

cmr_0-1690297316709.png

 

View solution in original post

Subscribe
12 REPLIES 12
alemabrahao
Kind of a big deal
Kind of a big deal
‎07-24-2023 12:41 PM
‎07-24-2023 12:41 PM

Warm spare with trunk port is really problematic, try configuring the LAN port to Drop Untagged Traffic.

 

alemabrahao_0-1690227648292.png

 

0 Kudos
Subscribe
JCA1
Here to help
‎07-24-2023 12:53 PM
‎07-24-2023 12:53 PM

Thank you! I was under the impression that as long as the native vlan is not on the "allow" list, it will be dropped.

 

JCA1_0-1690228395306.png

 

0 Kudos
Subscribe
In response to JCA1
alemabrahao
Kind of a big deal
Kind of a big deal
‎07-24-2023 12:56 PM
‎07-24-2023 12:56 PM

I still recommend you to apply this configuration for test.

Subscribe
KarstenI
Kind of a big deal
Kind of a big deal
‎07-24-2023 01:13 PM
‎07-24-2023 01:13 PM

I would avoid this setup as much as I can. Or even more, I would refuse to implement it for a customer. In this setup, the switch has the potential to bypass the firewall. This is really bad practice.

0 Kudos
Subscribe
In response to KarstenI
JCA1
Here to help
‎07-24-2023 02:51 PM
‎07-24-2023 02:51 PM

Thanks. How would you be able to bypass the firewall with the wan/core switch?

0 Kudos
Subscribe
In response to JCA1
KarstenI
Kind of a big deal
Kind of a big deal
‎07-25-2023 12:03 AM
‎07-25-2023 12:03 AM

  • Admin error, putting the wrong port into the wrong VLAN
  • switch crash and forwarding without config applied 
  • config lost due to any other reason

As @cmr writes, it is not worth it to save a couple of bucks. Although I prefer managed switches on the WAN side like Catalyst 1000 or CBS 350.

Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎07-24-2023 01:31 PM
‎07-24-2023 01:31 PM

That should work ok.  Was this the first power on of the MXs?  Perhaps they were still doing firmware upgrades.  What did the Dashboard show?

0 Kudos
Subscribe
In response to PhilipDAth
JCA1
Here to help
‎07-25-2023 08:03 AM
‎07-25-2023 08:03 AM

No, it wasn't the first power on. It was just that the traffic stopped hitting the meraki, dhcp problems, the core switch froze.

0 Kudos
Subscribe
cmr
Kind of a big deal
Kind of a big deal
‎07-24-2023 03:11 PM
‎07-24-2023 03:11 PM

Why would you want to do this?  We use cheap unmanaged 5-8 port L2 Cisco switches for the WAN and they have been performant and reliable for the last 4+ years.

0 Kudos
Subscribe
In response to cmr
JCA1
Here to help
‎07-25-2023 07:59 AM
‎07-25-2023 07:59 AM

Well, they only have one ISP with one fiber handoff so they need a breakout switch, that breakout switch splits the internet connection. What do I need to change here to make it right? Keep the breakout switch but from the MX Lan ports go to a downstream LAN switch instead of going back to the breakout switch?

 

           ISP
              |
___WAN SWITCH___
|                                   |
MX1                          MX2
                  |
             LAN SW

0 Kudos
Subscribe
cmr
Kind of a big deal
Kind of a big deal
‎07-25-2023 08:02 AM
‎07-25-2023 08:02 AM

Yes, as below:

cmr_0-1690297316709.png

 

Subscribe
In response to cmr
JCA1
Here to help
‎07-25-2023 11:00 AM
‎07-25-2023 11:00 AM

Thank you!

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2023 Meraki