Internet/WAN to MX HA pair best practices

SKSVFD
Here to help

Internet/WAN to MX HA pair best practices

I'm fairly new to Meraki and my networking is a little rusty. Here's my scenario I could use some help with:

 

I have a Comcast fiber connection with a connection to the internet, and a connection to the WAN. I also have 2 MX 100's that are going to be configured in a HA pair. I've got the Internet connection going to port 1 on the MX, and the WAN connection going to port 3. For HA to work right I'll need the same internet connection going to port 1 on the spare MX and the WAN connection going to port 3 on the spare MX, right? 

 

At this point getting another Comcast router and connection is not in the budget so how do I "split" the two connections from the Comcast to get a pair to each MX? My first thought was a couple of 5 port gig switches. 1 switch for the internet connection, 1 switch for the WAN connection, but those wouldn't be manageable and if one goes down I won't have the alerting that I do with the Meraki equipment. 

 

I do have an 8 port Meraki switch (MS220) that I could also use, but this gives me a single point of failure and I find it silly to add one device that could fail to connect to a pair of MX's to get failover there. 

 

I spoke with my Comcast rep to see if they could activate 2 of the SFP ports on the Ciena to mirror the other ports and she almost seemed offended that I was asking for free service, which I wasn't. 

 

So, what's the best option? I'm currently leaning towards plugging in our Comcast cable connection to port 2 on both, then if the MX dies I'll just go into the server room and unplug everything in MX a and plug it into MX b...

 

Scott

10 REPLIES 10
PhilipDAth
Kind of a big deal
Kind of a big deal

Hoe does Comcast present their connection?  PPPoE?  Static routed range?  DHCP?

I've got static connections with a block of IP addresses. 

Hi @PhilipDAth ,

 

Hybrid locations where we have HA Meraki devices, in case we keep one of the links as Broadband it is an PPPOE connection they are only giving a single public ip address. In such cases, we won't get /29 public ip address pools for seamless failover tracking. In that case, it is difficult for us to use broadband at small locations which is a cost-effective option??

 

Thank you. 

 

 

keval parsaniya
PhilipDAth
Kind of a big deal
Kind of a big deal

If it is a small location - do you need to use dual MXs?  What about using a small MX with the PPPoE going straight into it?

Yes, so we have many other plants where the ISP provider is denying to give /29 public IP pool. so in that condition what will the topology for use PPPOE internet lines connect with dual MX?

keval parsaniya
PhilipDAth
Kind of a big deal
Kind of a big deal

If you don't have inbound NAT, you could instead plug the two MXs into an ISP router.

 

My preference - get an MG21, and plug the Internet2 ports on the two MX into the MG21.  Then you have real HA.  🙂

DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)

At the very minimum your going to need two IP addresses to get this to work on both comcast and your WAN. Do you have this? If you can get additional IPs I would recommend getting an additional two per connection. You cabling is also incorrect but without the IPs there is no reason to cable this up. If you can get the IPs it would be best to put a switch between comcast/WAN and the two MX's.

 

If you cannot get this your going to be stuck with a manual failover. Let us know and we can help with the diagram of what it would look like either way.

Thank you for the response. We do have a block of static IP addresses. My concern with putting the switch in between the Ciena and the MX's is that I now have another device to manage and still a single point of failure after the Ciena. I only see that as being a real benefit to doing firmware upgrades on the MX to reduce downtime. 

 

I've been told that the Ciena and can be configured with a virtual IP over 2 ports, or a failover between 2 ports but that Comcast doesn't like to program them to do that, they would rather sell you a complete other connection.

 

At this point I am leaning towards the manual failover as I work right next to the server closet, and only live a couple miles away so I could perform a manual failover pretty quickly. We are a fire department with a lot of backup manual processes available. If the network were to ever go down we'd still be able to roll out our equipment. 

 

Scott

PhilipDAth
Kind of a big deal
Kind of a big deal

I would either use a small switch and plug your Internet circuit and two MX's into, or use a VLAN on an existing switch.  At least you'll have automated failover if the MX has an issue.

 

Yes it is an additional point of failure, but unless you invest in dual Internet circuits that is always going to be an issue.

 

You could also consider getting a cheap consumer grade Internet circuit for a backup - but note this will only protect outbound web browsing.

MRCUR
Kind of a big deal

Given your current Comcast handoff setup, you'd need to put a switch in front of the MXen as mentioned by @PhilipDAth. I don't think you'll ever talk Comcast into setting up a second port on the Ciena in the same VLAN as your current handoff port. I've never seen them do this and they're particular about standardization on EDI handoffs. 

 

If you do put a switch in front of the MXen, you will need a /29 handoff from Comcast so each MX can have an IP and you can have a third IP to act as the WAN VIP. This is also something I've never seen Comcast do for EDI...

MRCUR | CMNO #12
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels