Spare MX forward traffic or not?

quangvu37
Conversationalist

Spare MX forward traffic or not?

Dear all,

 

I wonder if the spare MX in HA Mode forwards traffic or not (if both ports have the same VLAN)?

 

Please help me clarify it!

 

Thanks!

9 Replies 9
PhilipDAth
Kind of a big deal
Kind of a big deal

Traffic is forwarded at layer 2 on the LAN ports only.

quangvu37
Conversationalist

So it means a loop can occur when we use a full mesh topology?

PhilipDAth
Kind of a big deal
Kind of a big deal

Yes.  It relies on the switch it is plugged into using spanning tree to prevent that loop.

quangvu37
Conversationalist

so if I want to deploy full-mesh 2 MXs with 2 Fortigate like below topology, can you recommend me the configuration for both firewall pairs!

 Capture.PNG

PhilipDAth
Kind of a big deal
Kind of a big deal

I would leave the "black" link between the MX's.  I would single connect each Fortigate to its nearest MX.  Then you wont have any loops.

quangvu37
Conversationalist

But both MXs can not see each other and we can not create a warm-spare setup. 

(According to Fortigate, the Slave FG does not forward traffic.)

PhilipDAth
Kind of a big deal
Kind of a big deal

If you leave the black link in between the two MXs then they will be able to see each other.  They are directly plugged into each other.

 

If the slave Fortigate does not forward traffic then you don't have a problem.

quangvu37
Conversationalist

yes, I misunderstood "leave" action :). Exactly what I think the most possible topology.

 

Thank you for confirming again!

dougcoleman
Conversationalist

How interesting! You have selected the same combo of firewalls, and placed them in the same order as I have...   but

on my go-live I keep having spanning tree issues (I think) that are taking too long a time to resolve and that prevents my go-live and I have to back out 😞

 

My fortigates are slightly different, I think, as I am told they are an active active cluster in transparent mode, the  thinking being should benefit from the additional processing power, at the expense of a few discontinued sessions if there were to be a failure.   We also want to do WAN/ISP + VPN tunnel load balancing to complete the redundancy

in our network... 

 

My interconnections at the wiring level are exactly as you proposed in your diagram...

 

Would you be able to post a diagram of your functional solution once implemented?

 

Thanks a million,

Doug Coleman

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels