Hi all,
I'm needing to set up a warm spare configuration with 2x Meraki MX250 devices. I have 2 ISP connections that I'd like to come into a Ubiquiti Layer 2 switch (USW-Aggregation) with 8 ports. I have only 1 of these switches, and really would like to get everything working with just this hardware. I'd like to have both WANs coming into the switch, and 4 outgoing connections, 1 of each WAN connection going to each MX250. What's the best way to do this?
Do I need the ISP to have their routers establish a VLAN for each WAN subnet, then tag each port on the Ubiquiti switch (incoming or outgoing) with the appropriate VLAN, then statically assign the physical ports on the MX250s with the correct IP address? I'm also planning on using a virtual IP for all actual WAN connections on the MX250s for a more seamless failover. Am I on the right track? I have limited network engineering experience and haven't ever dealt with the CE/PE relationship on the edge of a network.
Any help is greatly appreciated!
Solved! Go to solution.
As has been said, use access ports, 3 in one VLAN, three in another VLAN on the switch. Keep in mind you will also need the ISP to provide you a /29 subnet (6 IP addresses) on the links to make the HA work - one is the ISP gateway, one for each MX and the virtual IP. The other two IP addresses can be used for anything (e.g. NATs on the MX).
The ISPs won't need to do anything.
As you say, just make all the ports in the Ubiquity switch access ports.
So having 2 WANs coming into that switch will route fine from the MX250s through the switch and out to the internet through all 4 ports between the switch and the 2 MX devices, right? As long as the switch is just acting as a dumb switch with access ports.
You payed a five figure for your redundant firewalls, pay for redundant links but don’t want to spent 1k fo a second switch for full redundancy? Why???
Great question. This client purchased these devices as an NFR. They have a Cisco partnership as a reseller for other products. They didn’t want to buy another switch if they don’t have to.
As has been said, use access ports, 3 in one VLAN, three in another VLAN on the switch. Keep in mind you will also need the ISP to provide you a /29 subnet (6 IP addresses) on the links to make the HA work - one is the ISP gateway, one for each MX and the virtual IP. The other two IP addresses can be used for anything (e.g. NATs on the MX).
This is great. Thank you.