The problem happened when the stack of MS355-24X2  did a firmware update. We use this stack facing the VM cluster and we also have Azure remote connections involved. When the VM cluster could no longer see the MS355 they went into an error state and once connection came back they couldn't recover and we had to reboot each VM to get it restored and we had to reboot some of the Azure servers. I would think the VM cluster should be able to recover easily from a disconnect but not in this case. Our infrastructure management does not like switch stacks except for the user (Access) stack and thinks we should not have stacks at the core.

Going off your description alone, it sounds like the VMware hosts have networked storage (NFS or iSCSI) which when the switch stack reboots, they lose their connectivity to the datastores and therefore the VM's crash.

If that is the case, you will definitely need to change your design.

You could:

- Separate the switch stack into two separate switches. This will give higher availability for VM's during Meraki firmware upgrades

- Use a separate set of switches for the iSCSI/NFS storage connection. This has the advantage of physically separating the storage traffic from general VM traffic. However although the VM's will now stay up and not crash during an upgrade of the core Meraki switch stack, they will still lose Network connectivity.

Yes, the MSP proposed a design that causes problems firmware updates are applied to a single Meraki switch stack serving an ESXi cluster. 

So you need to buy 1-2 switches for ESXi or re-architect the virtualization solution.

If your MS425s are doing the L3 routing then the MS355s could be separated quite simply, with no need for VRRP or similar.  However if the L3 routing is on the MS355s then you would need that.  You will reduce throughput as only one link will work at once, but to be honest VMware isn't great at using both links unless your guess VMs are on multiple VLANs.

Which switch is doing the L3 routing?

What is the typical and peak bandwidth used for each host?

Does your iSCSI go though the MS355s and if so, could you divert it elsewhere?

When I do these myself, I do one of two options:

• Put the MS355 into separate Meraki networks ("Fabric A" and "Fabric B"), and set their default upgrade windows to different days.  If IP storage is used then this is the only option I use.  Sometimes I'll need to create a separate "server network block" to do this to make sure only layer 2 functionality is required, and then they connect back to the network core.
• Add in a third layer 2 switch (Gigabit is fine) and plug a VMWare NIC into this from each host.  Configure this NIC for failover only.  Then when the main switch stack reboots the VMWare hosts will still be able to see each other and know that they have not failed.  This stops them from freaking and taking the whole cluster down.  When the main network comes back they then will fail back and keep on working fine.

Facing this exact issue as well.  I love meraki don't get me wrong, but if I may just vent a little about this...  Who's brilliant idea was it to make stack switches reboot at the same time and why is it so difficult to make them do a staggered reboot?!  At least give us the option.  Because, they market these things as "For the data center" but then you run into something like this.. (smh).

Our solution is going to be to move away from external storage and switch to a virtualization platform with integrated storage instead.

It's a real shame that we can't have staggered reboots for switch stacks.

It would also be nice if we can disable auto-firmware-updates on critical infrastructure.

---

@Adam_F wrote:

It would also be nice if we can disable auto-firmware-updates on critical infrastructure

---

Technically you can get Meraki to disable it.  Its extremely difficult and requires a very high level of approval by your Meraki SE and you better have a rock solid case as to why you need this disabled at an Org level.  In our case, we have scheduled quarterly downtime to upgrade MS, MR, Etc.  Given that we are a manufacturing company, and our sheer size, having to manage multiple models, hundreds of devices, at hundreds of sites.  The cadence of Meraki's software releases, end of support, etc is what sealed the deal for us.  For multiple years we ended up having to do upgrades outside of our quarterlies, which requires manufacturing downtime (millions of $ worth of production time); and our team was having to push work to handle upgrades, they disabled it for us Org wide.  So now we run X firmware until our maintenance windows, upgrade MS one window, MR's the next, etc.

If you really want to yell at Meraki, go read the firmware upgrade process on MS series.  Its an incredibly stupid design, where things aren't really verified before a stack begins rebooting, with basically only a timer being using to 'be sure' that downstream devices have 'had a chance'.  Without using staged upgrades, its very easy for a complex or large Meraki MS network to have upstream devices reboot well before or during a MS downloading or loading its firmware.

While for years we had near zero problems with firmware, the last few years have been lack luster.