Meraki

Community

Meraki MX Firewall HA - with 2 ISPs and /30 Public IPs

Solved
iliyaz
Here to help
‎Jul 15 2024 11:45 PM
‎Jul 15 2024 11:45 PM

Meraki MX Firewall HA - with 2 ISPs and /30 Public IPs

HI Team,

 

I have configured MX 84 HA setup exactly as per the below diagram, and I am able to get Internet from switches on both the WAN ports in MX1, but the MX2 SPARE is showing as "Unreachable" and HA link is showing GREEN on both.

 

Device - 2 MX 84 and 2 MS MS250-48LP

 

Below are the Public IPs I got from both of my ISPs

ISP 1 - 49.xx.1.104/30

49.xx.1.105 - PE and 49.xx.1.106 - CE

49.xx.8.168/29 - Lan Public IP's


ISP 2 - 182.yy.80.104/30

182.yy.8.105 - PE and 182.yy.8.106 - CE

182.yy.3.104/29 - Lan Public IP's

 

Configuration on MX1 WAN Ports:

On MX1 WAN Port 1 - I have configured /30 of ISP 1

On MX1 WAN Port 2 - I have configured /30 of ISP 2

 

The Internet on both WAN Ports of MX1 is fine, but Spare is showing Unreachable.

 

HA Config Model of other Vendor:

For any Vendor models , we just configure WAN link with /30 ips on ACTIVE Device and this same configuration will be replicated to Passive DEVICE. In terms of failure the Passive device gets ACTIVE Device configuration and will be UP and running. 

Not sure how the Meraki HA works?

 

Team, can some one pls help out here??

Meraki-HA-Setup.png

 

0 Kudos
1 Accepted Solution
In response to KarstenI
iliyaz
Here to help
‎Jul 16 2024 11:55 AM
‎Jul 16 2024 11:55 AM

Thank you very much @KarstenI. For addressing all my queries in a single answer.

Option 1: Is the easiest, but hv to do some paper work with ISPs.

 

Option 2: Also looks good. Can you pls guide me in achieving it::

 

Step 1: Create a L3 interface on the MS250 MS-1 Switch and connect the ISP1 interface and configure /30 Public WAN IP and same for MS-2 MS250 switch L3 interface for ISP2.


Step 2: Create a SVI in MS1 and have L3 connection to both the MX1 and MX2

e.g - MS1 :

Vlan 710
ip address 49.xx.8.169/29 -- GW

MX 1 - 49.xx.8.170/29 - WAN 1

MX 2 - 49.xx.8.171/29 - WAN 1


MS2 :

Vlan 711
ip address 182.yy.3.105/29 -- GW

MX 1 - 182.yy.3.106/29 - WAN 2

MX 2 - 4182.yy.3.107/29 - WAN 2


After that what should be done for establishing Internet connection??

 

 

View solution in original post

0 Kudos
10 Replies 10
KarstenI
Kind of a big deal
Kind of a big deal
‎Jul 16 2024 6:43 AM
‎Jul 16 2024 6:43 AM

The Meraki MX works differently than you expect. Both devices need a constant connection to the dashboard. With the /30, you are pretty limited here. 

What can you do:

  1. Get/29 subnets from your ISP. This is the best option.
  2. Connect the first ISP to MX1 and the second ISP to MX2. In this setup, the active firewall will always use only one ISP: ISP1 while MX1 is active and ISP2 while MX2 is active.
  3. Place a NAT router in front of the MXes. With a private subnet between the router and the MXes, both can communicate to the dashboard at the same time.

 

EDIT: I didn't see that you have /29s on the LAN side. If option 1 with a /29 transfer is not possible, then option 2 is even easier. Instead of a NAT router you can take two small L3 switches and work without NAT. On this L3-Switch, the /30 goes to the ISP, the /29 goes to the MXes.

 

Some more information on the different options:

https://cyber-fi.net/index.php/2024/02/19/connecting-your-meraki-mx-to-the-internet/

 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
iliyaz
Here to help
‎Jul 16 2024 11:55 AM
‎Jul 16 2024 11:55 AM

Thank you very much @KarstenI. For addressing all my queries in a single answer.

Option 1: Is the easiest, but hv to do some paper work with ISPs.

 

Option 2: Also looks good. Can you pls guide me in achieving it::

 

Step 1: Create a L3 interface on the MS250 MS-1 Switch and connect the ISP1 interface and configure /30 Public WAN IP and same for MS-2 MS250 switch L3 interface for ISP2.


Step 2: Create a SVI in MS1 and have L3 connection to both the MX1 and MX2

e.g - MS1 :

Vlan 710
ip address 49.xx.8.169/29 -- GW

MX 1 - 49.xx.8.170/29 - WAN 1

MX 2 - 49.xx.8.171/29 - WAN 1


MS2 :

Vlan 711
ip address 182.yy.3.105/29 -- GW

MX 1 - 182.yy.3.106/29 - WAN 2

MX 2 - 4182.yy.3.107/29 - WAN 2


After that what should be done for establishing Internet connection??

 

 

0 Kudos
In response to iliyaz
KarstenI
Kind of a big deal
Kind of a big deal
‎Jul 17 2024 10:59 PM
‎Jul 17 2024 10:59 PM

You can't use your internal Switch for this. Without VRFs, the internal and external routing tables can't be separated, and you build a possible way around the firewall. Use dedicated L3 switches like a CBS350, Catalyst 3560CX, 9200CX.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
iliyaz
Here to help
‎Jul 22 2024 10:56 PM
‎Jul 22 2024 10:56 PM

Thanks @KarstenI  for answering.
I think above all, getting /29 IPs from ISP and configuring it, is simple and easy.

I have requested /29 IPs from both my ISP's i ll be getting in 2-3 days, I will configure the MX's and will update on the progress. 

0 Kudos
In response to iliyaz
KarstenI
Kind of a big deal
Kind of a big deal
‎Jul 22 2024 11:19 PM
‎Jul 22 2024 11:19 PM

Best? Yes. Easy? Not always. I have customers, where the only available ISPs have no product for this. They only offer what you showed, a /30 transfer and a /29 or /28 routed network.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
iliyaz
Here to help
‎Jul 17 2024 10:29 AM
‎Jul 17 2024 10:29 AM

HI @KarstenI  Any update for the below solution that i have proposed?

0 Kudos
jasonbrown23
Here to help
‎Jul 16 2024 7:39 AM
‎Jul 16 2024 7:39 AM

yeah getting a /29 on the wan Easiest. but since you have /29 for the Lan IP, you can have your /30s terminate on each DMZ switch / edge switch. Then route your /29 behind that so DMZ will have 1 ip from the /30 and one ip from the /29. your 2 firewalls will use the DMZ /29 as there default gateway and each firewall will get a ip from the /29 and use one for the VIP if you want to use that.
iliyaz
Here to help
‎Jul 16 2024 11:57 AM
‎Jul 16 2024 11:57 AM

Thanks @jasonbrown23 for the quick reply. Will try to implement as suggested, but instead of DMZ switch, can i use to MS250-48 LP switch?


Also any cons on using Internet links on DMZ switch and /29's on the MX's??

0 Kudos
In response to iliyaz
jasonbrown23
Here to help
‎Jul 23 2024 5:26 AM
‎Jul 23 2024 5:26 AM

 

  • Set up a VLAN for the /30 subnet: Assign one IP from the /30 subnet to the switch. This VLAN will handle the traffic between your ISP and your network, acting as a point of ingress and egress.

  • Create a default route: Set a default route on the switch pointing to the ISP’s gateway within the /30 subnet. This ensures that all outbound traffic from your network that doesn’t have a more specific route will go through this gateway.

  • Configure a second VLAN for the /29 subnet: Assign another IP from your /29 subnet to the switch. This setup will serve the devices that require external access or are part of a DMZ, like servers or firewalls.

  • Assign IPs to firewalls: Give each firewall an IP from the /29 subnet. The default gateway for these firewalls would be the /29 IP on the switch. This configuration allows the firewalls to communicate directly with the external network and manage traffic accordingly.

  • redundancy: To avoid a single point of failure, it would be ideal to use two switches in this configuration. This way, if one switch fails, the other can take over, maintaining network availability.

  • this all assumes that your MS 250 is not doing any l3 routing currently 

 

 

In response to jasonbrown23
iliyaz
Here to help
‎Jul 26 2024 9:22 AM
‎Jul 26 2024 9:22 AM

Thanks a lot @jasonbrown23 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.