SD-WAN - Resilience using downstream switch ports issue

Solved
513gg
Conversationalist

SD-WAN - Resilience using downstream switch ports issue

Hi

 

I am attempting a proof of concept for a new SD-WAN solution I am looking into and require some assistance on an issue I face with the Meraki MX devices, or possibly the MS switches in between them. 

 

Most standard MPLS / DIA providers only offer one RJ45 / SFP port from their router, and there is a requirement to ensure full resilience for the solution. 

 

I have two MX84 devices, HA pair.  I have one cable from either internet provider and am following the below design. I have a transit VLAN (/30 subnet) between router and MX, using VLAN tagging. I have connected the routers into the MS switch on an access port on VLANX, and then connected the internet port of the MX to another port on the switch using the same VLAN. The MX is set with a static IP using VLAN tagging, however it just registers WAN2 as failed.

 

If i plug the router directly into the internet port of primary MX, it works. 

 

I looked in the ARP table on both router and MX and neither has an APR entry for each other. I did a packet capture on the switches and I can see ARP requests for both IPs on router and MX but there is never an ARP reply. 

 

Has anyone managed to get a solution like the below working, or is there a better way of achieving redundancy without the need for human interaction to move cables?

 

HA-Meraki.JPG

1 Accepted Solution
jdsilva
Kind of a big deal

Hey @513gg ,

 

There's definitely a couple problems with this design. If you want to do MX Warm Spare you're going to need a minimum of 2 pulbic IP's for the WAN links (one for each MX). Add in one for the provider and your /30 no longer fits the bill. You need a /29 to do this. This is non-negotiable as this is the wan Meraki has built their Warm Spare feature. But before we go to far into the design...

 

The second thing here is that you won't be able to connect a WAN port of an MX to private MPLS like that without doing some trickery at the head end. There's a caveat here that you may not be aware of.where WAN ports must have Internet connectivity to function at all. This is fine at branch locations, but the head end will end up ping-ponging Dashboard traffic to a spoke and back. 

 

I'm going to throw some KBs at you 🙂

 

Running Auto VPN over private MPLS

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS

 

Other ways to incorporate private MPLS

https://documentation.meraki.com/MX/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN

https://documentation.meraki.com/MX/Networks_and_Routing/Integrating_an_MPLS_Connection_on_the_MX_LA...

 

 

 

 

 

View solution in original post

2 Replies 2
jdsilva
Kind of a big deal

Hey @513gg ,

 

There's definitely a couple problems with this design. If you want to do MX Warm Spare you're going to need a minimum of 2 pulbic IP's for the WAN links (one for each MX). Add in one for the provider and your /30 no longer fits the bill. You need a /29 to do this. This is non-negotiable as this is the wan Meraki has built their Warm Spare feature. But before we go to far into the design...

 

The second thing here is that you won't be able to connect a WAN port of an MX to private MPLS like that without doing some trickery at the head end. There's a caveat here that you may not be aware of.where WAN ports must have Internet connectivity to function at all. This is fine at branch locations, but the head end will end up ping-ponging Dashboard traffic to a spoke and back. 

 

I'm going to throw some KBs at you 🙂

 

Running Auto VPN over private MPLS

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS

 

Other ways to incorporate private MPLS

https://documentation.meraki.com/MX/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN

https://documentation.meraki.com/MX/Networks_and_Routing/Integrating_an_MPLS_Connection_on_the_MX_LA...

 

 

 

 

 

513gg
Conversationalist

Thank you jdsilva. 

 

Noted on the /30 subnet front. I had naively assumed that the warm spare MX would pick up the same IP address schema as the active if the active failed.

 

KB -https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS 

 

Really good KB, and my design is now based on the above, but ensuring the MPLS. Luckily the MPLS can connect out to the internet at a hub site, so it seems to be working so far. 

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels