Meraki

Community

Use virtual Uplink IPs or Use MX uplink IPs

Mangocis
Here to help
‎May 2 2023 4:47 AM
‎May 2 2023 4:47 AM

Use virtual Uplink IPs or Use MX uplink IPs

Hi,

 

We have two MXs of the same model, and we want to design an HA for our environment. I am considering having WAN 1 (from ISP 1) on both the main and spare MX, and WAN 2 (from ISP 2) on both the main and spare MX.

 

ISP1-> (MXA_Wan1, MXB_Wan1)

ISP2-> (MXA_Wan2, MXB_Wan2)

 

 

The MX also has a virtual uplink setting.

Which option is the best? Does anyone have any ideas?"

0 Kudos
9 Replies 9
rhbirkelund
Kind of a big deal
Kind of a big deal
‎May 2 2023 6:26 AM
‎May 2 2023 6:26 AM

In either way, you'll need two IP addresses from ISP A, and to addresses from ISP B - one for each WAN port.

 

The Virtual IP allows you to have an extra, third IP address that is shared between the two MX's WAN1 port. When using Warm Spare (which is based off VRRP), you'd have the third IP address which point towards the Active-Primary MX. Incase of a failure on the Primary MX, the Secondary MX will become Active, and take over the third IP address.

 

If you don't use the Virtual IP, in the event of a failure on the Primary MX, for VPN connections, you'll have to manually reconfigure endpoints to use the Spare MX WAN IP. In terms of sessions, your clients may also experience short outages, as all their TCP traffic will be reset, and connections have to be re-established as your Public IP address would have changed.

 

However, in order to obtain a third IP address for Warm Spare, it would require your ISP to atleast provide a /29 handoff, which in some cases may be a bit more difficult and more expensive.

 

For more details on Meraki Warm Spare I'd refer you to the documentation page here; https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
In response to rhbirkelund
Mangocis
Here to help
‎May 2 2023 11:24 PM
‎May 2 2023 11:24 PM

Thanks for your response. The idea behind having one IP address from each ISP is to have the same IP address when we experience a failure in the primary MX. Some services rely on the IP address, and we don't want to lose clients' access to those services due to a failure in the primary MX.

0 Kudos
In response to Mangocis
rhbirkelund
Kind of a big deal
Kind of a big deal
‎May 2 2023 11:43 PM
‎May 2 2023 11:43 PM

I'm rather certain that having the same IP address on WAN1 of both MXs won't work.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
In response to rhbirkelund
Mangocis
Here to help
‎May 3 2023 1:55 AM
‎May 3 2023 1:55 AM

I asked Meraki support, and this is their response:

 

 

Thank you for contacting Cisco Meraki support.

Yes, having 2 WAN uplinks on Primary and Spare MX is supported. Please refer to the following KB for recommended topologies:
https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair#Recomme...

0 Kudos
In response to Mangocis
rhbirkelund
Kind of a big deal
Kind of a big deal
‎May 3 2023 11:11 PM
‎May 3 2023 11:11 PM

Yes, but I'm still rather certain, that it won't work if you reuse the same IP address from MX_A WAN1 on MX_B WAN1. This is what the Virtual IP is for. But you'll still need infividual IP addresses on each WAN interface. WAN1 and WAN2 can be different ISPs, but still need individual IP addresses.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
In response to rhbirkelund
SUBU
New here
‎Feb 19 2024 5:14 AM
‎Feb 19 2024 5:14 AM

Hi Everyone .

 

Just trying to understand how Failover works on WAN side . let say /29 Public subnet i have .

Internet Link is via UNTRUST-Switch ( layer 2 switch) and 2 MX boxes (WAN1 of MX-A and WAN1 of MX-B ) , ISP -Gateway connected to the UNTRUST Layer-2 switch . VIP ip used (common IP used )  the idea to not have the NAT public IP change so that TCP-Sessions will NOTget terminated . NAT is happening on the MX-A. Classic Outbound flows to INTERNET /North bound . EVENT = MX-A link to UNTRUST switch fails  (LINK Failure) , or Huge packet loss (PL) /Packet drops on Link from MX-A  connected to UNTREUST switch , how the failover is happen . I read in some articles VRRP hello mu;icast/hear beat packets will be sent viaLAN interface only , NOT via WAN interface . wondering how the other MX-B will take over the VIP /Floating ip /shared public . is there any HA-cluster link which will be used. MX-A will inform MX-B that WAN1 interface of MX-A is DOWN.  secondly on the brownout scenario , MX-A 's WAN 1 interface having packetv loss , any mechanism , after 60 seconds , MX-B will become Active for the VIP -IP ( Public ip ) shared between the 2 MX-Boxes .

0 Kudos
In response to SUBU
SUBU
New here
‎Feb 19 2024 5:16 AM
‎Feb 19 2024 5:16 AM

Just comparing with other SDWAN -products . SILVER PEAK , Juniper 128T SSR which i am currently working on . appreciate your valuable response .

 

Thanks

SUBU

0 Kudos
In response to rhbirkelund
Mangocis
Here to help
‎May 2 2023 11:29 PM
‎May 2 2023 11:29 PM

Mangocis_0-1683095304988.png

Also this is the Meraki recommendation design for best practice HA.

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

 

 

0 Kudos
In response to Mangocis
JonP
Getting noticed
‎May 4 2023 2:59 AM
‎May 4 2023 2:59 AM

We have the same situation. Two different WAN connections on an HA pair of MX's. @rhbirkelund is correct that you can't have the same IP address on separate WAN interfaces - this is what the virtual IP is for.

 

JonP_0-1683194340188.png

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.