cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Spare MX forward traffic or not?

Conversationalist

Spare MX forward traffic or not?

Dear all,

 

I wonder if the spare MX in HA Mode forwards traffic or not (if both ports have the same VLAN)?

 

Please help me clarify it!

 

Thanks!

9 REPLIES 9
Kind of a big deal

Re: Spare MX forward traffic or not?

Traffic is forwarded at layer 2 on the LAN ports only.

Conversationalist

Re: Spare MX forward traffic or not?

So it means a loop can occur when we use a full mesh topology?

Kind of a big deal

Re: Spare MX forward traffic or not?

Yes.  It relies on the switch it is plugged into using spanning tree to prevent that loop.

Conversationalist

Re: Spare MX forward traffic or not?

so if I want to deploy full-mesh 2 MXs with 2 Fortigate like below topology, can you recommend me the configuration for both firewall pairs!

 Capture.PNG

Kind of a big deal

Re: Spare MX forward traffic or not?

I would leave the "black" link between the MX's.  I would single connect each Fortigate to its nearest MX.  Then you wont have any loops.

Conversationalist

Re: Spare MX forward traffic or not?

But both MXs can not see each other and we can not create a warm-spare setup. 

(According to Fortigate, the Slave FG does not forward traffic.)

Kind of a big deal

Re: Spare MX forward traffic or not?

If you leave the black link in between the two MXs then they will be able to see each other.  They are directly plugged into each other.

 

If the slave Fortigate does not forward traffic then you don't have a problem.

Conversationalist

Re: Spare MX forward traffic or not?

yes, I misunderstood "leave" action :). Exactly what I think the most possible topology.

 

Thank you for confirming again!

Conversationalist

Re: Spare MX forward traffic or not?

How interesting! You have selected the same combo of firewalls, and placed them in the same order as I have...   but

on my go-live I keep having spanning tree issues (I think) that are taking too long a time to resolve and that prevents my go-live and I have to back out 😞

 

My fortigates are slightly different, I think, as I am told they are an active active cluster in transparent mode, the  thinking being should benefit from the additional processing power, at the expense of a few discontinued sessions if there were to be a failure.   We also want to do WAN/ISP + VPN tunnel load balancing to complete the redundancy

in our network... 

 

My interconnections at the wiring level are exactly as you proposed in your diagram...

 

Would you be able to post a diagram of your functional solution once implemented?

 

Thanks a million,

Doug Coleman

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.