Procedure to upgrade an MX84 to MX250

JED2021
Getting noticed

Procedure to upgrade an MX84 to MX250

1.  Is there a cabling best practice document to possible move to 10 gig even port channels if possible?

 

2.  Based on item 1  how does the config map the ports.

 

3.  how do I initially get the MX250's online.  I have a /29 on each of my duel ISPs can I standalone set these devices up and not connect them to the internal network at first?

 

4.  Is there a step by step document  to stand up the MX250 and is the config easily replicated from the MX84?

 

5.   Lastly I  have 2 GCP VPNs that will need to  move the PSK's to the new Appliance

 

 

8 REPLIES 8
Bettencourt
Meraki Employee
Meraki Employee

Hello,

 

Most of your questions if not all, are answered in this KB.

 

https://documentation.meraki.com/MX/Other_Topics/MX_Cold_Swap_Replacing_an_Existing_MX_with_a_Differ...

 

Swapping one MX for another is very easy to do and downtime should be minimal.

 

🙂

I am looking for  the upgrade process not an RMA operation.

 

Do MX250 auto port channel?

 

My current implementation is poor so I want to move to the best practices model

 

MX250 Active / standby

 

Each MX240 connected to port channels on a stack of MS410.

 

I believe I basically need each MX DOT1Q do the MS for the TRUST/INTERNAL SVI

 

Each ISP on an access port on the MS with its own VLAN ISP1 and ISP2 then plugged into each MX so that the VRRP for the Virtual is heard  across those vlans. for the UNTRUST/EXTERNAL.  Right now we are using a small netgear for this which is not desired.

I will need to prune those VLANS off the MX to MS Trunk I believe.

 

 

 

Bruce
Kind of a big deal

@JED2021, what you are intending to do is mostly achievable, but there are a few point to note:

 

  • The MX does not support port-channel/LAG/LACP (or whatever you want to call it). The recommended approach is a connection from each MX to each of the switches in the stack and rely on STP to ensure ports are blocked appropriately so no Layer 2 loops are created.
  • You can certainly bring your ISP connections through the MS410 stack and back onto the WAN port of the MXs, keeping each one in its own VLAN and using access ports (and remove the VLANs from the trunks), but it will likely mess with your traffic and statistics on the Dashboard (all depends how much you use them). You might want to keep the separate switch(es) for the WAN links, upgrade them if you want and consider putting them in a separate network if you use Meraki switches.
  • VRRP does not run on the WAN ports of the MX. If you have a VIP configured the active MX will own the VIP for the WAN connection, but there is no VRRP running between the MXs on the WAN side. VRRP runs on the LAN side only - Layer 2 heart beats are sent over every VLAN configured on the MX, and the active MX owns the Layer 3 IP addresses for all the VLANs; the inactive MX has no IP addresses on the VLANs.
JED2021
Getting noticed

If. no VRRP on the wan weeks / VIP configuration then what is the specified requirement to have a separate broadcast domain for ISP1 plugged into both MX and ISP 2 needs a broadcast domain and plugged into both MX?

Bruce
Kind of a big deal

@JED2021 you don't have to have a shared broadcast domain across both the WAN1 interfaces (or both the WAN2 interfaces) in a HA configuration for routed/NAT mode, you only need that if you run a VIP, and you don't have to have a VIP. (A VIP is only a necessity in a HA VPN concentrator configuration).

 

You can run HA with ISP1 to WAN1 on the active MX, and ISP2 to WAN1 on the standby MX, and it all works fine. ISP2 is only used for telemetry from the standby MX, there is no traffic using it unless a failover occurs. You can only configure the WAN1 bandwidth once for both the active and standby MX, so either the ISP services should be similarly sized (or use WAN2 on the standby, so WAN2 is empty on the primary MX and WAN1 is empty on the secondary MX). And, if you don't have a VIP, when a failover occurs all current sessions have to be reinitiated, and all VPN tunnels rebuilt (because of the IP address change), but that doesn't take long.

JED2021
Getting noticed

The current pair of MX84 are

Primary Master

Spare Passive ready

 

Both WAN ports are active and do have traffic

 

We have client VPN and Generic 2 VPNs to a cloud provide.  We would like to add a second pair of VPNs off the ISP2.

 

This is what it is (. do not get confused that our of coincidence the 4th octet is the same for different ISPs,  Maybe just luck)

 

CARRIER A assigned A.A.A.64/29

CARRIER A assigned B.B.B.64/29

 

MX84 SMMARY Screen

General
PUBLIC IP. A.A.A.66
WAN 1
TYPE IPV4
CONFIGURED AS VIRTUAL
STATUS ACTIVE
IP ADDRESS A.A.A.66
VIRTUAL IP. A.A.A.67
GATEWAY A.A.A.65

WAN 2
TYPE IPV4
CONFIGURED AS. VIRTUAL
STATUS. ACTIVE
IP ADDRESS. B.B.B.66
VIRTUAL IP B.B.B.67
GATEWAY B.B.B.65

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

I am moving toward a core pair of MS devices in stack with aggregation switches connected via port channels  for  floors in the building

 

I am using a VIRTUAL IP currently and thise VIRTUAL IPs connect to VPNS at a cloud provider.

NOTE

  • and behave appropriately.

Additionally, the following other considerations should be kept in mind:

  • If a virtual IP is being used, then each uplink of the two MXs must share the same broadcast domain on the WAN side.

QUESTION.  What protocol do the the MX use on the WAN side?

Bruce
Kind of a big deal

On the WAN side the MX just uses Ethernet (for Link Layer) and TCP/IP (for Network Layer) - that's basically it, there is no VRRP or anything else at these Layers.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels