Instant On - Wired

 View Only

  • 1.  2x 1930 as WAN switches - failover issue

    Posted 01-03-2023 09:19 PM

    Hi Guys,

    I need some help/advice in figuring out why WAN failover setup done by someone else is not working.

    • 2x CPE modems, I don't have access to them unfortunately but got config description from ISP.
    • 2x 1930 Aruba Instant-ON switches as WAN switches
    • 2x Meraki MX firewalls in warm spare config

    When I simulate CPE modem or WAN switch fail I loose internet connectivity. 
    CPEs are configured in one vrrp group and they should see each other over my WAN switches. They're sharing virtual mac & ip address which should be assigned to only one (master) CPE modem. ISP support claims that there is an issue with that and both modems claim to be "masters". All ports used in connectivity between CPE's, WAN switches & Firewalls are access ports with default vlan1 untagged. Also weird is that currently working WAN switch is 100% CPU all the time... My only idea is that maybe something is wrong with STP/Loop protection on my WAN switches? Any ideas? How this kind of setup should be configured?

    This is how the connection looks like. Red link is currently working. Blue is possible if I failover MX's.


    ------------------------------
    Marcel Staniaszek
    ------------------------------


  • 2.  RE: 2x 1930 as WAN switches - failover issue

    Posted 01-04-2023 10:30 AM
    Edited by The WiFi Guys 01-04-2023 10:30 AM

    I'm curious and perplexed; why do you have switches in front of your MX Router/Firewalls? 


    Perhaps I'm just a rookie and haven't seen this config before, but tossing web-managed Layer2 switches in front of your Firewalls seems nonsensical to me. I'd love to know why this was done. 



    ------------------------------
    Ethan
    ------------------------------

    Original Message


  • 3.  RE: 2x 1930 as WAN switches - failover issue

    Posted 01-04-2023 11:12 AM

    I'm kind of a rookie too ;)

    This setup was done by someone else (3 years ago) and nobody tested it until I came to this company. From my point of view is kind of overkill tbh and doesn't really make sense in company I work for now. It is what it is and no budget to change it in near future ;)

    Here switches are needed so CPE modems could exchange vrrp packets over L2 and decide which one is a master and holds virtual MAC address with "main public ip address" which is then configured as a gateway on Meraki firewall's wan ports.

    Anyway I saw and configure similar solutions with WAN switches in front in places when you, for example, distribute internet connectivity. Lets say you have one ISP and /27 subnet of public ip addresses. You connect ISP modem into your switch, keep all ports in pvid1and done. You can connect your customers firewalls into your WAN switch and lend them one of your public ip addresses to be assigned on theirs firewalls. 



    ------------------------------
    Marcel Staniaszek
    ------------------------------

    Original Message


Related Content