MX85 HA Warm Spare Config design

Solved
JCA1
Here to help

MX85 HA Warm Spare Config design

Hi, I'd like to have some feedback to determine if this configuration is supported. We tried to implement this and had to rollback because we started seeing all kinds of problems in the network, dhcp, no intervlan traffic, etc. Any help would be appreciated. The breakout switch is an HP 3800, no svi in the switch. The fws are MX85. This is a single ISP link. We used the virtual ip option for the mx uplink.

 

Capture.PNG

 

 

1 Accepted Solution
cmr
Kind of a big deal
Kind of a big deal

Yes, as below:

cmr_0-1690297316709.png

 

If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

12 Replies 12
alemabrahao
Kind of a big deal
Kind of a big deal

Warm spare with trunk port is really problematic, try configuring the LAN port to Drop Untagged Traffic.

 

alemabrahao_0-1690227648292.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
JCA1
Here to help

Thank you! I was under the impression that as long as the native vlan is not on the "allow" list, it will be dropped.

 

JCA1_0-1690228395306.png

 

alemabrahao
Kind of a big deal
Kind of a big deal

I still recommend you to apply this configuration for test.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
KarstenI
Kind of a big deal
Kind of a big deal

I would avoid this setup as much as I can. Or even more, I would refuse to implement it for a customer. In this setup, the switch has the potential to bypass the firewall. This is really bad practice.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
JCA1
Here to help

Thanks. How would you be able to bypass the firewall with the wan/core switch?

KarstenI
Kind of a big deal
Kind of a big deal

  • Admin error, putting the wrong port into the wrong VLAN
  • switch crash and forwarding without config applied 
  • config lost due to any other reason

As @cmr writes, it is not worth it to save a couple of bucks. Although I prefer managed switches on the WAN side like Catalyst 1000 or CBS 350.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal

That should work ok.  Was this the first power on of the MXs?  Perhaps they were still doing firmware upgrades.  What did the Dashboard show?

JCA1
Here to help

No, it wasn't the first power on. It was just that the traffic stopped hitting the meraki, dhcp problems, the core switch froze.

cmr
Kind of a big deal
Kind of a big deal

Why would you want to do this?  We use cheap unmanaged 5-8 port L2 Cisco switches for the WAN and they have been performant and reliable for the last 4+ years.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
JCA1
Here to help

Well, they only have one ISP with one fiber handoff so they need a breakout switch, that breakout switch splits the internet connection. What do I need to change here to make it right? Keep the breakout switch but from the MX Lan ports go to a downstream LAN switch instead of going back to the breakout switch?

 

           ISP
              |
___WAN SWITCH___
|                                   |
MX1                          MX2
                  |
             LAN SW

cmr
Kind of a big deal
Kind of a big deal

Yes, as below:

cmr_0-1690297316709.png

 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
JCA1
Here to help

Thank you!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels