Only MX network (non-MPLS) with SASE(Palo Alto) project

Ayyub
Comes here often

Only MX network (non-MPLS) with SASE(Palo Alto) project

I would be happy If Someone had already migration in practice( Theory no needed):

1) I would like to ask, Did Anyone migrate/remove the MPLS connection in Meraki Area? It is interesting for me, What kind of problems have you already faced when you removed the MPLS connection? I would like to know what happened in practice. The Prisma Access/SASE project(with Palo Alto) is interesting for me.

2) How was the plan for SD-WAN, Security side? Enterprise license was okay or not? What should be noted and planned?

3) LAN:

a)I would like to use 2x MX for high availability(VRRP), What was the reaction if first MX fails(how many seconds)

b) Depends on locations(Big or Small), I would like to use MXs and L2 switchs or MXs, L3 and L2 switch connection.

   Did you have a connection between L2 switches? You can see in Meraki documentation(MX and only L2 direct connection without L3), Between L2 switches connection keep alive 1st MX(if one of MX fails), How was the Spanning tree(rstp) reaction? 

What about with L3 connection?(MX>L3>L2), What would be your recommendation for high availability?

 

Many Thanks in Advance!

 

5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal

First, I think you should start reading the documentation.
If you don't feel confident, I suggest hiring a Meraki partner company.

 

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair#Recomme...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Ayyub
Comes here often

as I wrote, Who already did the migration, it is interesting for me, What kind of problems do Other colleagues face? We have a contract with Cisco and Partner Provider and our own big test LAB. As I wrote, Maybe Someone faces with issues/problems in practice. I have much documentation to share with you as well, but I need who migrated nowadays (sometimes theory and reality are not the same):

 

•MX Failover HA: https://documentation.meraki.com/MX/Networks_and_Routing/Routed_HA_Failover_Behavior

•Meraki MX Warm Spare: https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair#

•MX datasheet: https://meraki.cisco.com/product-collateral/mx-family-datasheet/?file

•MX85 WAN Port behavior: https://documentation.meraki.com/MX/MX_Overviews_and_Specifications/WAN_behavior_on_MX75%2F%2F85%2F%...

•Meraki SFP: https://documentation.meraki.com/General_Administration/Cross-Platform_Content/SFP_and_Stacking_Acce...

•Meraki License overview: https://documentation.meraki.com/General_Administration/Licensing/Meraki_MX_Security_and_SD-WAN_Lice...

HA: MX Warm Spare - High-Availability Pair - Cisco Meraki

Ayyub
Comes here often

Of course, later I will do everything in the test LAB, But Now, I am planning the runbook, design, and preparation before starting this migration process. I am open to seeing recommendations, suggestions and etc. Many Thanks in advance.

Brash
Kind of a big deal
Kind of a big deal

A few anecdotal comments

 

1) I've migrated a few sites from existing MPLS connections to DIA SD-WAN.

It made sense for that business and their use cases. It was a relatively seamless experience. The tunnels have very high uptimes and has had a positive end user experience.

 

2) This depends on the client but for anything of a decent size SME business, I look at Advanced Security or better

 

3) I don't have any sites running HA in routed mode. I have one site running HA VPN concentrators. Failovers between then appears to be relatively quick but haven't tested in a long while

Ayyub
Comes here often

Many thanks for your comments!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels