- The MX HA-pairs are always active-passive. There is no active-active option. You would need a second set of MX'es and good L3 switch routing to be able to achieve this. - If you are terminating your VLAN's on the L3 switches and they are not Meraki switches then you will have to create the VLAN's there and have an uplink VLAN that exists between the L3 switches and the MX pair. If they are Meraki L3 switches then you have to create the VLAN's in the routing and dhcp page in the switch section of dashboard. You will also have a vlan on the mx pair that leads to the L3 switches and static routes leading to the VLANs via the next hop (l3 switches). Because you cannot do ECMP ( = multiple times the same route with a different next hop) you will need your L3 switches to be one logical unit (stack). - In smaller networks you could choose to not route on your L3 switches and just terminate all VLAN's on the MX which simplifies alot but makes it so that the MX routes all intervlan traffic too which can cause a larger load on the MX'es. So this can only be done if your network only has one distribution block and you expect the majority of traffic to be north-south (from vlans to internet and back), not too much east-west (between vlans). - The last point explains your final question a bit: You can choose to route on your L3 switches between your VLAN's so you have line rate forwarding between VLAN's but less deep grained control between your VLAN's. Or you can choose to route on your MX where you are limited to the forwarding speed of the MX model for all your traffic (north-south + east-west) but you have better firewall controls and the advantage of stateful rules. Edit: I forgot to add the info about the virtual IP's. So you can only use virtual IP if ISP router allows fixed IP's in those segments. The virtual IP has to be defined for both WAN interfaces if you use 2 ISP's and has to be a different IP in than the physical IP's on both active and spare units.
... View more
