@Aaron_Wilson I think if you are talking about singular failovers, then yeah, there could be some convergence times.  However, we run redundant everything.     There are 2 edge routers connected to a different MPLS each.  Those are running eBGP through the MPLS to the peers in our data center and to 1 of our call centers that acts as a backup for our current Cisco telephony system.  They are also peering with each other for link state information.  Those connect to 2 core routers, which for the most part, are running EIGRP and those are peered with each other.  There are 2 WAN encryption routers that connect to the core.  Those build tunnels from the office to the data center and the call center that has the backup telephony system.  Those are using iBGP for the tunnel formation and also peer with each other for link state information.     There is also a pair of firewalls in there for edge security.   That creates an A and a B path.  A is preferred from a routing perspective.    There is a total of 6 Cisco routers that are used in that deployment.  What I was hoping to do is remove a lot of the complexity by reducing the functionality to a pair of MX250s or MX450s.  Simply replace the core routers, WAN encryption routers and firewalls with those MX appliances with the security bundle enabled on them.     That does bring up a different question.     Can the MXs be configured in a traditional HSRP configuration like what one may configure with a pair of Cisco 6500 core switches.  Basically, can a virtual default gateway be configured between a pair of MXs not in HA for each VLAN?     If I can get around the HA (warm spare) failover timers, then this may be again be an option.   CC: @PhilipDAth    ... View more

@PhilipDAth I understand the likelihood of an HA failover happening is quite small, but as @Aaron_Wilson mentioned, I have been in similar situations.  In a previous life, we had redundant ACS servers managing wireless authentication.  We lost 1 due to a hardware failure and it had NBD RMA.  About 6 hours later we lost the 2nd to a hardware failure and had to have Cisco expedite us an appliance because the other RMA on the previous one would not happen until the next day.     While unlikely, it does happen.   In our case, at our peak time of the year, we are taking 300 - 500 concurrent phone calls in a single call center.  If an HA failover happens, we would drop that many calls which could turn out to be a loss of around $100,000 in that 30 seconds.   ... View more

Thanks @PhilipDAth.  In our situation, even a 30 second call outage that could potentially cause dropped and missed calls is something out sales team cannot live with.    I have read a lot about VRRP, HA, etc., and suspected that there would be issues, but I needed a second opinion.   ... View more

Another idea we have been discussing is spinning up a Cisco CSR1000v inside the same VPC and BGP peering off of that.     I was looking for more of an AWS native solution instead of adding virtual routers into the mix.  I saw that AWS has BGP for Direct Connects, but haven't found any other document that states where else in AWS BGP is supported. ... View more

Hi Philip,   I was hoping you would show up here.     This is not a saved configuration, but when I set this vMX to Hub, I have the option to enable and configure BGP.  I have not saved this to know if it will take.  I will be doing that in a change window tonight.     My plan was to keep this as simple as possible.  I read your article about HA and the use of Lambda script.  We are opting to do this as if they are 2 different hubs.  They are both in the same AWS VPC, but in 2 different AZs.  The idea is to configure the MX and Z3 to have both hubs listed like a primary and standby hub.  We do that today with MX100s in 2 different data centers.   ... View more

Thanks for the reply UCcert.  I just sent am email to my account manager requesting the assistance of an SE.   ... View more

Meraki Support hasn't been much help either.  All they have done is directed me to the BGP configuration guide.   https://documentation.meraki.com/MX/Networks_and_Routing/BGP   The AWS deployment guide also does not contain information about routing other than adding the AutoVPN subnets to the VPC route table.  That appears to be more of a static routing configuration.   https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Setup_Guide_for_Amazon_Web_Services_(AWS)   The issue with that is we are in a transition between physical data centers and cloud.  I need the subnets that are used by our office or Z3s to be advertised from the MX or vMX that they are connected to.  Adding a blanket static route to a VPC would seem to break dynamic routing. ... View more

Here is some additional information.  We ran the external connectivity test from Orion and to shows that https://dashboard.meraki.com is reachable.     ... View more

Aaron,   Below is a link to Meraki's documentation for MX Warm Spare - High Availability.   https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair   The document contains 2 different diagrams, neither of which show a direct link between the MXs.  Also, my configuration uses the MXs in One Armed Concentrator mode for VPN termination.  That only uses the uplinks for connectivity, also noted in that document.   Also, in the following community post the accepted solution notes that when having a connection between the MXs, it can force traffic through the spare as spanning tree my block the port to the primary MX.   https://community.meraki.com/t5/Security-SD-WAN/How-to-cable-MX-amp-MS-for-HA/td-p/22765 ... View more

The thing to remember about a FEX is that it works just like a module in a chassis switch.  When connecting a FEX, the configuration is done on the parent switch.  In your case, you have a FEX connected to 2x 9ks so both 9ks are acting as the parent.  Both 9ks have to have the same identical configuration for the FEX.   The below link discusses configuration sync and Active/Active FEX topologies.  It is specifically for the N5k, but the theory and design should be similar for N9k.   https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/operations/n5k_config_sync_ops.html   Config-sync is how you can synchronize the FEX configuration between the 2 9ks as long as they are running as a vPC pair. ... View more

Is the Uplink port on the MX250 configured with the same VLAN as the access port? If you have a VLAN specified on the Uplink port of the MX250, have you tried with leaving the VLAN field blank?   Edit: I double checked my configuration which is working.  The switch port on the Nexus side is an access port.   interface Ethernet1/XX switchport switchport access vlan XX no shutdown   The uplink port on my MX100 is not configured with a VLAN tag.     I have ran into issues with this before whether to VLAN tag or not.   ... View more

That was the issue I ran into when contacting Meraki support and my Meraki account rep.  There was no documentation for connecting Meraki to Nexus running vPC.     Since this thread has been solved, I would recommend starting a different thread as I believe the solution your your issue will be different. ... View more

I was able to implement this and it works.  I did not need to create a separate VLAN.  We had an existing VLAN that had an SVI on the upstream VPC Nexus switches.  That VLAN also has the interfaces used by the routers that I am eBGP peering with along with the interfaces to the firewall where Internet traffic flows.   While I was not able to get a validated design from either Cisco or Meraki support, I do have it working in our environment. ... View more

I will find out tomorrow after we get it racked and powered on in our data center. ... View more