Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Redundant Firewalls in an inter vlan routing configuration

B2BMan
New here
‎Oct 9 2023 2:56 PM
‎Oct 9 2023 2:56 PM

Redundant Firewalls in an inter vlan routing configuration

I have a stacked pair of MS225 Meraki switches configured with inter-vlan routing and I need to add a redundant pair of Firewalls. I only have a single default gateway of course. Can this be solved via some sort of Meraki connectivity configuration?

 

0 Kudos
Subscribe
3 Replies 3
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 9 2023 3:04 PM
‎Oct 9 2023 3:04 PM

You can use a private IP on each WAN, if you can do NAT.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
GreenMan
Meraki Employee
Meraki Employee
‎Oct 10 2023 1:48 AM
‎Oct 10 2023 1:48 AM

Your redundant firewall setup would need to involve provision of a virtual IP & MAC address operation, which either unit can adopt when it's the 'master' firewall.    You configure the default route on your routing MS225 to use that virtual IP as the next hop.    Meraki MX appliances can do this, for example, working in warm spare mode:
https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

The MX doesn't support Link Aggregation, nor actively participate in Spanning Tree, but does forward BPDUs, so you can create loops for resilience, involving your switching connecting to the MXs, which your STP setup should resolve at the switch end.  You'll see sample topologies in that document

Subscribe
Boomerang94
Meraki Employee
Meraki Employee
‎Oct 10 2023 5:40 AM
‎Oct 10 2023 5:40 AM

A single default gateway should work fine. Since you are doing routing on the MS225 stack, you will have to configure a static default route pointing towards a single IP address residing on the firewalls. Now if you are adding a redundant pair of firewalls, only one of them will be active/master at any given time which will be the owner of the IP that the switch stack is using as a gateway. There are some firewall vendors that use the (virtual IP/ virtual MAC) in their HA firewall setup (as @GreenMan  mentioned), in that case the gateway of the switches will point to the virtual IP that the HA firewall share.

 

As long as you have physical connectivity between the stack switches and both HA pair firewalls, STP will do it its magic and redundancy will take care of any failover scenarios. 

 

 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.