Meraki

Community

Warm spare....direct cable or not?!?

Solved
Aaron_Wilson
A model citizen
‎Apr 18 2019 5:31 PM
‎Apr 18 2019 5:31 PM

Warm spare....direct cable or not?!?

So I was doing some random internet browsing and discovered this article:

 

https://www.willette.works/mx-warm-spare/

 

This Meraki employee is saying direct connect VRRP is preferred. This contradicts the the latest articles on the Meraki sites and some of the threads on this site that direct connect VRRP is bad (even some Meraki people are saying it's bad).

 

So I guess which is it? Sorry for the new thread, but this seems like a rather important design consideration and Meraki is providing conflicting information.

0 Kudos
1 Accepted Solution
In response to Aaron_Wilson
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 19 2019 12:33 PM
‎Apr 19 2019 12:33 PM

The red lines would work, but I wouldn't use that approach as it creates a layer 2 loop, and you are relying on spanning tree holding a port down.

View solution in original post

0 Kudos
8 Replies 8
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 18 2019 6:30 PM
‎Apr 18 2019 6:30 PM

Much respect to Aaron Willette; but note the special restriction that the link uses a dedicated VLAN so to maintain a loop free solution.

 

On the whole most people were simply putting in a cable and trunking all the VLANs, which was causing spanning tree problems.  On the whole if you have an environment where failover will be a rare event, and failing over within 60s or so in that rare event is fine (will probably be closer to 30s), then you can use the design that the Meraki web site proposes - a nice simple stable design, that is reasonably resilent to human error.

It is really difficuly making networks tolerant of human errors.

 

I personally use the Meraki web site design of no direct link between the MX's.

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

In response to PhilipDAth
cta102
Building a reputation
‎Apr 19 2019 2:34 AM
‎Apr 19 2019 2:34 AM

We only had issues with a couple of sites with direct connections between MX devices.

However we don't want any problems so we have moved to the current recommended (indirect) connection between MX pairs.

0 Kudos
In response to PhilipDAth
Aaron_Wilson
A model citizen
‎Apr 19 2019 3:38 AM
‎Apr 19 2019 3:38 AM

That makes a little more sense @PhilipDAth - I have had zero issues with direct connect, but was going to change with some new installs/upgrades since so many people spoke against it. But, I am not trunking multiple vlans across it.

 

Second question - am I blind or is there no design guide/recommendation for single-arm concentrator, warm spare, without direct connect?

0 Kudos
In response to Aaron_Wilson
NolanHerring
Kind of a big deal
‎Apr 19 2019 7:25 AM
‎Apr 19 2019 7:25 AM

@Aaron_Wilson wrote:

 

Second question - am I blind or is there no design guide/recommendation for single-arm concentrator, warm spare, without direct connect?

In this link here:

 

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

 

VPN Concentrator Warm Spare

Connecting the MXes in a “One-Armed” VPN Concentrator Pair 

Before deploying MXs as one-arm VPN concentrators, place them into Passthrough or VPN Concentrator mode on the Addressing and VLANs page. In one-armed VPN concentrator mode, the units in the pair are connected to the network only via their respective Internet ports. Make sure they are not connected directly via their LAN ports. They must be within the same IP subnet and able to communicate with each other, as well as with the Cisco Meraki Dashboard. Only VPN traffic is routed to the MX, and both ingress and egress packets are sent through the same interface.

Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
In response to NolanHerring
Aaron_Wilson
A model citizen
‎Apr 19 2019 7:55 AM
‎Apr 19 2019 7:55 AM

I saw that statement, but they don't have a drawing for it. All the drawings are for dual-arm. Internet port to upstream uplinks, then a LAN port to west switch and a LAN port to east switch on each MX. If west switch fails, west MX is still primary but via link(s) to east switch.

 

Now, applying same logic to single arm. Meraki is using single arm for both LAN and WAN, so west Meraki to west switch and east Meraki to east switch. What about Internet 2, can you not do typical fully connected? That means if any one part of the west side fails then east side Meraki is now primary?

 

This was what I was thinking of for single arm fully connected (proposed in red):

 

singlearm.JPG

0 Kudos
In response to Aaron_Wilson
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 19 2019 12:33 PM
‎Apr 19 2019 12:33 PM

The red lines would work, but I wouldn't use that approach as it creates a layer 2 loop, and you are relying on spanning tree holding a port down.

0 Kudos
In response to PhilipDAth
Aaron_Wilson
A model citizen
‎Apr 19 2019 12:54 PM
‎Apr 19 2019 12:54 PM

Ok, so single arm is really meant not to fully connected like a dual arm scenario then. Thx for the feedback 🙂
0 Kudos
superfly
Getting noticed
‎Apr 19 2019 9:40 PM
‎Apr 19 2019 9:40 PM

I just spent a bit of time testing this (see my thread) and found that if both MX's are connected to a L2 switch, then when you direct connect them as well, there is a loop and the client connected to the switch is no longer able to access anything.

 

If you only have 2 MX's and are directly connecting your client into them, then you will need to direct connect them for VRRP to work. Otherwise you end up with 2 Masters which is apparently not good.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.