Dual WAN setup in Meraki MS Switches

AdamSmith
New here

Dual WAN setup in Meraki MS Switches

Hi all,

 

I'm new to Meraki and this setup was done before I joined the company.

 

In our office, we originally have one ISP with static IP.

 

It is connected to port 44 on Meraki 01 with vlan 500, then port 47 also with vlan 500 and connect to WAN interface of Forti 01 (no vlan configured).  Finally it will go up to port 48 on Meraki 01 and clients are connected to the Meraki switch stack with vlan 100.  The IP was set on the WAN interface on Forti 01, and the gateway is set in the static route part in Fortigate as well.

 

The red line shows current path from ISP to client:

 

AdamSmith_4-1724234720476.png

 

 

 

 

It has been working fine, clients can get DHCP IP from Meraki switches and can access internet.

 

But now we have a secondary ISP with one so called "long-leased" DHCP IP as backup link.  When setup following the same configuration with old ISP, we cannot get it work.

 

The problem is when I set LAN3 in Fortigate to DHCP, it will get the correct IP but Meraki also acquired this public IP as it's "LAN IP", then the Meraki stack lost internet connectivity.  

AdamSmith_2-1724234035521.png

 

But when I manually set the acquired IP in LAN3 in Fortigate, it cannot connect internet at all, so I must use DHCP for this interface.

 

 

Also, for whatever reason, currently Meraki 02 is the active switch with port 48 showing "uplink".

 

Will this affect the connection?  As I tried failover Fortigate 02 (current primary) to 01, I lost internet connection as well.

 

I think in ideal case both 01 should be the primary unit.

 

Anyone had similar setup / experience can share their experience?

 

Thanks in advance!!

 

3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal

If it is DHCP, so you get a single IP address - why not plug it directly into the FortiGate?

 

What have you got the switches configured to use as their management VLAN and IP address?  Most likely - whatever this is - they can not connect to the Meraki Cloud using that configuration, and are reverting to using DHCP.  Probably it used DHCP from something internal, and now it has another DHCP server to choose from.

We connect it to switch because we want some sort of redundancy, that we can tolerate 1 Forti down.

 

For now I can see the switches get management IP by DHCP from Fortigate LAN2, and is using native vlan 1.  Can we assign IP statically to them to prevent the change?  But from what I googled it seems that Meraki switches will ignore the manual setting and try everything to connect to cloud, so they will get the leased IP from new ISP anyway. 

GIdenJoe
Kind of a big deal
Kind of a big deal

You have to make sure your switches have a management VLAN set so you are always sure they will primarily try to get an address on the mgmt VLAN behind the Fortigate.

 

When that fails for any reason the switches will attempt DHCP on any VLAN which can include the VLAN 501.  If they go online that way everything should still work though but your switches would be in a different VLAN.  If there is something on the second ISP blocking access to dashboard then yes the switches would fail to connect but traffic should still be forwarded.

 

Also since you have a stack, why don't you create aggregates on your Fortigates?
It is best practice to also not cross an ISP over two stackmembers.  So you can either keep both VLAN 500 and 501 ports (should be six in total) on your left switch or have VLAN 500 on switch 1 and 501 on switch 2.  Then if one switch goes down you don't lose both your ISP's.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels