Warm Spare one ISP/30 config using switch stack as breakout switch

Weaver
Conversationalist

Warm Spare one ISP/30 config using switch stack as breakout switch

Hello,

We are bringing a second MX84 online as a warm spare, the problem is that our ISP gives us one /30 address and we do not want to use a breakout switch in front of the MX84's but do it in the switch stack.

 

So, I created a new vlan 666, brought the ISP into port one of switch 1 with VLAN 666, then also included port 2 and 3 in switch one for VLAN 666 to wire into WAN 1 of each MX, essentially creating a hub to split the ISP. I'm unsure when creating the vlan if I should use "same or unique" setting in the subnetting. If I use same I need to enter the MX IP, is that the primary MX IP?

Weaver_1-1651761942661.pngWeaver_2-1651761984525.png

 

Thanks in advance for any help.

 

 

 

6 REPLIES 6
ww
Kind of a big deal
Kind of a big deal

Not sure how you want to build this.

/30 has 2 usable ip.  1 for the gateway 1 for the mx wan.

 

I would also not use a ip from lan side mx on the wan side of the mx. If its even possible, its going to give you problems

Weaver
Conversationalist

I'm not sure I understand your reply.

KarstenI
Kind of a big deal

Not only is the usage of an internal infrastructure for your WAN-VLAN a very bad security practice, I assume that you will really run into problems when you do this with your template-based networks. But as this VLAN will never be routed outside the local site, you can use "same" here. For the IP, it is irrelevant as it will not work in a secure way. For a setup like this you would need an additional VRF on the MX what is not available. Your setup will bridge the internet into your internal network.

Do yourself a favour and place a small Ethernet-Router in front of the MXes and/or let the Provider assign a /29 network and use a small L2-switch. This could also be a cheap unmanaged switch.

Weaver
Conversationalist

Thanks for the confirmation of that.

Ryan_Miles
Meraki Employee

If you're just using the switch as L2 breakout for the WAN links going to MX wan ports this would have nothing to do with LAN side VLANs of the MX which your screenshots refer to.

 

The /30 from your ISP is a problem. Each MX needs its own IP.

PhilipDAth
Kind of a big deal

Focus on the bit that @Ryan_Miles and @ww mention first.

 

Each MX needs its own IP address.  You need at least a /29 from your ISP to make this work using a single ISP connection.  You could also consider getting a second /30 connection from the ISP, one for each MX.

 

You could also plug the /30 into only the primary MX, and then get something like an MG21 cellular gateway, and plug both MX into that.

https://meraki.cisco.com/product/cellular/integrated-antenna/mg21/ 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels