Meraki

Community

Best switch topology setup for new switches?

cpuchips42
New here
‎Nov 9 2023 11:49 AM
‎Nov 9 2023 11:49 AM

Best switch topology setup for new switches?

Hi all we we ordered 6 new MS250-48P Meraki switches. We already paid for them and just planning out how best to set them up given our existing firewall setup.

 

To give a bit of background I work for a small non-profit with 1 office who does not have the biggest budget but enough so we can get something like these switches. Our server room consists of 1 rack for networking. We use 2 HA firewalls for our routing of traffic and VLAN creation so the majority of heavy lifting is done by our firewall. We currently have and are replacing a Cisco Catalyst 4500 series which has 6 blades  (thus the 6 switches) which was used an as access layer switch besides only 1 port feeding into our firewall for the uplink. We dont plan to have another ISP for redundancy and are a hybrid wfh office so if we did lose internet in the building everyone can go home until we can swap out the switch for another.

Given that background I wanted to know what your thoughts are on setup of these new switches. Ideally any potential for redundancy without a significant cost increase would be great. Below is a rough topology of what I was thinking with a daisy chain layout. Not sure if that would be best though given if one switch goes down, the others don't get traffic. 

 

draft-topology.jpg

 

 This is my first time swapping out networking switches and networking gear of any kind so I want to make sure this is setup properly. If you have any suggestions and something that is totally wrong please let me know. Thanks!

Labels:
0 Kudos
7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 9 2023 12:01 PM
‎Nov 9 2023 12:01 PM

That is a nice simple option and should be easy for you to maintain.

Brash
Kind of a big deal
Kind of a big deal
‎Nov 9 2023 12:14 PM
‎Nov 9 2023 12:14 PM

Looks good. The only changes I'd consider are:

  • Separating the access switches into 2 groups of 3 (or 3 groups of 2). This reduces the dependency on the single switch with an uplink to the firewall, and reduces the number of hops for clients on switch 1.
  • Looking at stacking the switches rather than daisy chaining with front facing ports. This will require purchasing 6 stack cables so it will depend on whether your budget allows.
In response to Brash
cpuchips42
New here
‎Nov 9 2023 1:08 PM
‎Nov 9 2023 1:08 PM

That is one thing I was wondering if it would be beneficial to stack instead of daisy chaining. I do not like that if lets say switch 4 goes down then switch 1-3 wont get traffic. Will physical stacking allow for this safeguard?

0 Kudos
In response to cpuchips42
Brash
Kind of a big deal
Kind of a big deal
‎Nov 9 2023 1:18 PM
‎Nov 9 2023 1:18 PM

Physical stacking is in a ring topology - each switch is connected to the switch before it and the switch after it, so a single switch going down won't isolate others.

The stacking cables also do 40G so you shouldn't hit any port bandwidth or buffer blocking that you might hit with the daisy chain.

And should you firewall support it, you have the option to do port channels between separate switches on the stack and the firewall for link level redundancy.

0 Kudos
In response to Brash
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Nov 9 2023 6:43 PM
‎Nov 9 2023 6:43 PM

Yes I would stack instead of daisy chaining as Brash suggested. You could also look at link aggregation as well to improve redundancy. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
rdominguez
Meraki Employee
Meraki Employee
‎Nov 10 2023 5:31 PM
‎Nov 10 2023 5:31 PM

Hello @cpuchips42, In addition to the suggestions posted here, Meraki does have some documentation on Large Campus Switching Best Practices. Although it may not be a 1:1 (in terms of a large deployment) for what you are trying to accomplish here, it may be able to provide some valuable information for you to review. 

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

K2_Josh
Building a reputation
‎Nov 12 2023 1:36 PM
‎Nov 12 2023 1:36 PM

In terms of redundancy, you would be covered by the switch stacking if one switch or link failed. You can test this after installation to make sure it works. I strongly advise against daisy chaining or otherwise connecting the switches together in any other method. Regarding stacking cables, you'll probably need (5) 50 cm and (1) 1m cable, dependent on switch placement. 
https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Small-Form_Factor_Plu...

I would also find out if the firewalls used support link aggregation (LACP) and if you want to use this as an opportunity to use that feature (this is a huge PITA with Cisco ASA). If you implement link aggregation within your maintenance window, Meraki best practice is to connect ports in a link aggregation bundle to equidistant switches in the stacking topology: e.g. connecting the firewalls to switch 3 & 6. This is to reduce the number of hops and overall traffic on stacking cables. Not necessary, but better practice. Although, I would also consider connecting the standby firewall to different switches, so active firewall would go to switch 3 & 6, and the backup firewall would go to switch 2 & 5.

 

WRT using Meraki switches to distribute an ISP circuit to HA firewalls, this works perfectly (in a separate VLAN). However, in practice, this results in confusing reporting in the Meraki dashboard as the uplink port will show as a client that has the highest bandwidth usage. So, I marked the port and the client (identified by the ISP router's MAC address) accordingly (and added detailed circuit notes).  Unless this is fixed in the dashboard, I would prefer in the future to budget for a separate switch for this purpose, but this also seems excessive for a non-profit unless there was an extra switch available. If it were a Meraki switch, I'd set it up in a separate network. It would be great if one could exclude a client from being tracked on usage (or not show up in the clients list) based on its MAC address or connected port, w/ or w/o Dynamic ARP inspection being enabled (it happens to disabled for me in this case).


Putting that dashboard issue aside, I would consider using a different switch for the ISP uplink that isn't used to connect to the firewalls. This would help distribute the use of SFP+ ports on the MS250 switches. And it could make troubleshooting easier, especially if you're not on-site.

BTW, there is a free course on MS switch uplinks, but it doesn't cover connections to ISPs for HA firewalls.
https://learning.meraki.net/#/online-courses/9d5e7787-b409-4b9d-bd99-b2b75d1bca71

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.