Meraki MX 450 add a second data center redundancy design question

SOLVED
Weaver
Conversationalist

Meraki MX 450 add a second data center redundancy design question

I am adding a second data center for redundancy and a new pair of Meraki MX450's. Data Center 1 has two MX 450's and will be adding 2 new 450's to the new data center. The first ones run our wireless networks for 5 different campuses. The new MX450 will be available in the event we have an outage.

 

I have read the design guide but I'm not 100% certain of the following question and don't want to cause an outage so...

 

The current MX units are running in passthrough mode. So,

 

1. When adding the new MX's do I create an additional network in the same organization?

   The current MX units are in combined network mode.

 

2. How do I specify what MX units to use, the new ones or the old ones how is that priority set?

 

3. Do the MX units in different data centers need a heartbeat to each other even though they are on different IP networks?

4. How do they talk to each other and not take over the traffic?

 

Thanks for any design help

 

1 ACCEPTED SOLUTION
Bruce
Kind of a big deal

I would question if you really need to be running concentrators with your Meraki wireless solution. There are reasons to use a concentrator, but normally I'd suggest that you look at bridge mode on the SSID and drop the traffic straight onto the local LAN and then route it from there.

 

If you do need to use concentrators, then you can't really just add two more MX450 in a new data centre and make them a redundant 'cluster'. The MX appliances operate in a high availability (HA) mode as a pair, and only as a pair. In concentrator mode (which is the same a passthrough in the Dashboard configuration) the two HA MXs each have their own IP address, but also have a shared IP address which only the active concentrator 'owns'. All the traffic from the APs goes back and forth to the shared IP address. If you want to do failover between data centres you have to create a Layer 2 link between the two MXs (which will be in separate data centres), and also use a mechanism to ensure the Layer 3 interface for the VLANs that are coming from the APs (which are dropped onto the wire by the concentrator) is in the correct data centre too - this could be something like VRRP or HSRP on your core. You'd need to work through the design of this, and the failover scenarios to make sure it works as expected.

 

At the end of the day you end up with two HA pairs - whether both are active in DC A and failover to DC B, or whether one is active in DC A and fails over to DC B, and vice versa, is part of the design. As has been said by many though, an SSID in a network can only use a single HA concentrator pair, and hence why you need to split the HA pair between the data centre. For each campus though, which I assume is a separate Meraki network, you can specify a different concentrator for the same SSID. So Campuses 1,2 and 3 could use HA Concentrator pair I, and Campuses 4 and 5 could use HA Concentrator pair II.

 

When you add the new MX450s they have to be in the same Meraki Organisation (otherwise you won't be able to select them as a concentrator for the wireless access points). But they will have to be in a separate Meraki Network to the existing concentrators. A Meraki Network can only have one MX appliance (concentrator) or two if they are configured as an HA pair.

 

You've got a bit of design work to do to get it working properly, and key to it will be getting the Layer 2 link between the data centres in place, so the MXs in each DC can 'talk' to the other half of their HA pair.

View solution in original post

4 REPLIES 4
ww
Kind of a big deal
Kind of a big deal

Your design is

AP have a tunnel to mx concentrator?

Or 

Mx branch  tunnel to concentrator?

 

Because  ap can only have 1 concentrator selected.

 

In case of mx to mx tunnel. Then you select the new concentrator pair as second hub.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Hub-and-spoke_VPN_Connections_on_th...

 

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

cmr
Kind of a big deal
Kind of a big deal

@Weaver you could set up a second SSID with the same settings but using the second pair of MXs.

Bruce
Kind of a big deal

I would question if you really need to be running concentrators with your Meraki wireless solution. There are reasons to use a concentrator, but normally I'd suggest that you look at bridge mode on the SSID and drop the traffic straight onto the local LAN and then route it from there.

 

If you do need to use concentrators, then you can't really just add two more MX450 in a new data centre and make them a redundant 'cluster'. The MX appliances operate in a high availability (HA) mode as a pair, and only as a pair. In concentrator mode (which is the same a passthrough in the Dashboard configuration) the two HA MXs each have their own IP address, but also have a shared IP address which only the active concentrator 'owns'. All the traffic from the APs goes back and forth to the shared IP address. If you want to do failover between data centres you have to create a Layer 2 link between the two MXs (which will be in separate data centres), and also use a mechanism to ensure the Layer 3 interface for the VLANs that are coming from the APs (which are dropped onto the wire by the concentrator) is in the correct data centre too - this could be something like VRRP or HSRP on your core. You'd need to work through the design of this, and the failover scenarios to make sure it works as expected.

 

At the end of the day you end up with two HA pairs - whether both are active in DC A and failover to DC B, or whether one is active in DC A and fails over to DC B, and vice versa, is part of the design. As has been said by many though, an SSID in a network can only use a single HA concentrator pair, and hence why you need to split the HA pair between the data centre. For each campus though, which I assume is a separate Meraki network, you can specify a different concentrator for the same SSID. So Campuses 1,2 and 3 could use HA Concentrator pair I, and Campuses 4 and 5 could use HA Concentrator pair II.

 

When you add the new MX450s they have to be in the same Meraki Organisation (otherwise you won't be able to select them as a concentrator for the wireless access points). But they will have to be in a separate Meraki Network to the existing concentrators. A Meraki Network can only have one MX appliance (concentrator) or two if they are configured as an HA pair.

 

You've got a bit of design work to do to get it working properly, and key to it will be getting the Layer 2 link between the data centres in place, so the MXs in each DC can 'talk' to the other half of their HA pair.

DevOps_RC
Getting noticed

We have a similar setup, two pairs of MX450s in different DCs. It is possible to setup 'secondary concentrators' for tunnelling SSIDs, screenshot below:

DevOps_RC_0-1706610785774.png

We split the connections to different HA pairs of MX450s to spread the load, but have secondary concentrators setup in case of DC failure.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels