Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1975
Views
10
Helpful
18
Replies

WAN switches in HA setup issues

rabusiak
Level 1
Level 1

‎01-02-2023 01:33 AM

Hi
Need some help with HA setup of WAN switches. 
Problem is with CPE modems unable to exchange vrrp over my WAN switches. According to ISP support:
"In VRRP, usually there is the Master (primary) and backup (secondary). But from configuration status it looks like both of them assume the Master role. (This can be due to the CPEs not being able to see each other and each one is using the virtual MAC Address 0000.5e00.0102)". I've checked on my WAN switches and it looks like RSTP is blocking port on WAN2 which goes to WAN1.
Need advice on how to modify this setup. Should I perhaps add additional connections from both CPEs to WAN switches and between WAN switches and configure on corresponding ports new untagged vlan just for CPE's vrrp purposes? Or should I accept single point of failure and use just one WAN switch?

Preview file
34 KB
0 Helpful
18 Replies 18

MHM Cisco World
VIP
VIP
In response to rabusiak

‎01-03-2023 02:05 AM - edited ‎01-03-2023 02:55 AM

why there is two different native vlan, one is 201  other is 2 ??

troubleshooting point 
ping from CEP to CEP 
ping from CEP to 224.0.0.18 <<- this is multicast use by VRRP, this give use hint if there is any ACL deny this multicast.

0 Helpful

rabusiak
Level 1
Level 1
In response to MHM Cisco World

‎01-03-2023 02:49 AM - edited ‎01-03-2023 07:29 AM

The whole setup was done by 3 different companies during last 10years and they do not cooperate at all.
Everyone was using different vlans for part of network they were involved in. Mgmt vlan201 was implemented by me. Vlan2 is former native vlan for wan switches setup, vlan1 was native for core switches and servers (btw never seen servers and switches in one vlan with public addresses - 130.227.12.0/24) and vlan10 was native for access switches/access points.

Basically I'm finishing migration to new networks/vlans. Still have trasit vlan 400 between meraki firewalls, old sophos firewall and core stack to fix routing issues between old and new vlans/networks but last part I'm missing is core stack (3750X are end of life - I will replace them with Meraki MS390) and this not working WAN failover.

ISP support claims they cannot ping between CPE's, same for VRRP multicast address.

0 Helpful

rabusiak
Level 1
Level 1

‎01-03-2023 07:29 AM - edited ‎01-03-2023 07:31 AM

One more interesting observation.

CPE modems have public ip addresses:
CPE1 - X.X.X.27/27
CPE2 - X.X.X.28/27
and they share virtual IP, currently sticked to CPE1 - X.X.X.1/27 (aka gateway for my Merakis)

My Merakis have public ip addresses from same subnet assigned on WAN ports:
Master have X.X.X.25/27
Slave have X.X.X.15/27
and they share virtual ip address of X.X.X.22/27 attached to Master

I cannot ping public ip address of CPE2 from any of Merakis (master/slave) from any of it's public ip addresses but I can ping CPE1 ip address from everywhere. ISP support cannot ping CPE2 public address from CPE1 and vice versa.

Starting to think issue is somewhere on Meraki... it's not accepting/forwarding vrrp and icmp through WAN interfaces?


0 Helpful

pieterh
VIP
VIP
In response to rabusiak

‎01-04-2023 02:13 AM

is it possible  to change the WANSW1 and WANSW2 into a stacked configuration ?
you may need to replace them by a model that supports stacking
(and/or change the MX switches into a stack, instead of VRRP pair)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card