Meraki Community

Requirements and Best Practices 

When configuring routed HA, it is critical that both MXs have a reliable connection to each other on the LAN, so the heartbeats of the primary MX can be seen reliably by the spare. To ensure this connection is reliable:

• The two MXs should be connected to each other through a downstream switch (or ideally, multiple switches) on the LAN to allow for passing VRRP heartbeats.
  • There should be no more than one additional hop between them, and they must be able to communicate on all VLANs.
  • Make sure Spanning-Tree Protocol (STP) is enabled on the downstream switching infrastructure, as a properly-configured HA topology will introduce a loop on the network.
• When first configuring routed HA, the spare should be added and configured in the dashboard before the device is physically deployed, so it will immediately fetch its configuration and behave appropriately.
• If a virtual IP is being used, each uplink of the two MXs must share the same broadcast domain on the WAN side.

so, is that means we need to have another IP public to be used on our Firewall ? and we need to have this public ip configured :

• x.x.x.x/29 (ISP-A) allocation :
  1. x.x.x.1 > ISP side
  2. x.x.x.2 > MX01
  3. x.x.x.3 > MX02
  4. x.x.x.4 > vIP Heartbeat
  5. x.x.x.5 > Firewall

• y.y.y.y/29 (ISP-A) allocation :
  1. y.y.y.1 > ISP side
  2. y.y.y.2 > MX01
  3. y.y.y.3 > MX02
  4. y.y.y.4 > vIP Heartbeat
  5. y.y.y.5 > Firewall

as mentioned  on this link below https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair#Routed_... :

No, if you look at the recommendations, what I'm talking about has nothing to do with WAN.

• The two MXs should be connected to each other through a downstream switch (or ideally, multiple switches) on the LAN to allow for passing VRRP heartbeats.
  • There should be no more than one additional hop between them, and they must be able to communicate on all VLANs.
  • Make sure Spanning-Tree Protocol (STP) is enabled on the downstream switching infrastructure, as a properly-configured HA topology will introduce a loop on the network.

Your WAN IP config looks ok to me (warning - I'm just starting my first morning coffee, so brain is maybe not at 100% yet). The MX WAN interfaces need unique IPs on each unit in the HA config and another IP for the VIP. It appears you have all that in place.

What @alemabrahao is mentioning is the LAN side of the MXs. The MXs don't support LACP or STP. So, you can have redundant links like you show as long as the device on the other side supports and is running STP to prevent loops. Not sure those downstream firewalls would support that in this design.

Our recommended topology shows not connecting MXs directly to each other. I'm not sure any document specifically says not to do it. And, I personally see some value in a direct link between MXs as one more layer of protection against a dual active scenario (example topologies). 

Also, VRRP is sent on all VLAN interfaces on a MX. So it would also go over the port 2 & 3 of the MXs in your diagram. There's no concept of a dedicated HA/VRRP link on a MX.

got it, so it means i could applied with this topology design below? as long peer switch device could run STP to block looping

Might just be minor omissions/oversights in the diagram. But if you have two ISPs there would be two VIPs on the MX HA pair. VIP1 = ISP1 and VIP2 = ISP2.

Also, the diagram mentions 10.10.255.x/29 in a few places. So I'm not entirely sure where that's being used or if it's just a generic reference. On the MX we refer to the VIP as the shared WAN IP(s) and not any LAN side L3 interface/SVI.

But IPs aside the rest of it looks reasonable to me. That said I would very much want to lab it up and test  all failure scenarios prior to deployment.

Got it, will be applied vIPs for each ISP connection.

"Also, the diagram mentions 10.10.255.x/29 in a few places. So I'm not entirely sure where that's being used or if it's just a generic reference. On the MX we refer to the VIP as the shared WAN IP(s) and not any LAN side L3 interface/SVI."

• yes my purpose like having VRRP for LAN side using 10.10.255.x/29 segment. 
• Much like having HSRP and use IPs on :
  • MX1 10.10.255.1, priority 100
  • MX2 10.10.255.2, priority 90
  • MX Standby IP 10.10.255.3
  • Firewall 10.10.255.5
• So traffic from INSIDE (GCP)/LAN side will have an MX Standby IP 10.10.255.3  as next hop to the OUTSIDE (ISPs)
• And traffic from OUTSIDE (ISPs) will have an Firewall IP 10.10.255.5 as next hop to the INSIDE (GCP)/LAN side

Could i applied that scenario above ? because it still confusing me, as there are no exact documentation to applied Layer 3 redundancy on LAN side

"The MX requires unique IPs on the WAN side. So, one for MX1 another for MX2 and a third optional one for the VIP."

• Could I use private IP for vIP ? rather than public IP as vIP ?

"The LAN side works differently. There are just VLANs and their associated L3 IPs. No per MX IP, nor a VIP. The single IP per VLAN will belong to whichever MX is primary."

• So is that mean, i just need these configuration below ? :
  • Create Interface vlan 255 10.10.255.1/30  on MX1 and MX2
  • Create mode access vlan 255 on port 2-3 towards LAN side 
  • Create Interface vlan 255 10.10.255.2/30 on Firewall side
  • Create static route between MXs and Firewall

Yes

thank you for your feedbacks @Ryan_Miles , this will help me a lot.. 🤝