– All Meraki MX Firewall devices have a second uplink port used for Load Balancing and Failover purposes. This article shows how to enable and configure a secondary uplink port, load balancing between uplink ports, and Prioritize data flow for different types of traffic.
I/. Enable and Configure WAN 2:
– Some MX models (MX250, MX400, MX450, MX600) have a separate second uplink port (WAN 2). To use these ports, only a cable needs to be connected and the IP address can be configured on the page local status page by MX. On all other MX models, a LAN port can be configured as a secondary Internet port to be used as WAN 2.
– Let the WAN port be used and configured on devices that do not have WAN 2 ports available:
1- On the administration page of the Meraki Daskboard site go to the page local status by MX.
2- Click on the tab Configure above.
3- Below Port 1, 2, or 4 (depending on model), varies Role wall Internet:
4- Configure necessary information for WAN port:
● VLAN tagging – Assign a VLAN tag to allow all traffic sent out of this port. If kept the same Don’t use VLAN taggingtraffic will be sent untagged.
● Connection Type – can choose PPPoE necessary. Alternatively, you can stay the same Direct.
● IP assignment – If the interface will receive a dynamic IP from the ISP, select from the list as DHCP. If not, you can leave it as is Static and manually configure address information IP Address, Netmask, Gateway, DNS servers.
– When WAN port 2 has been configured and connected (connect. connect), then other options will appear in addition and may be displayed in the dashboard under the link Security & SD-WAN > Configure > SD-WAN & Traffic shaping.
II/. Load Balancing:
– Meraki MX devices can be configured to use both uplink ports for load balancing. When load balancing is enabled within the page Security & SD-WAN > Configure > SD-WAN & Traffic shaping, traffic flow will be distributed between 2 uplink ports. This load distribution is based on the configuration on WAN 1 & WAN 2 in section Uplink configurationcorresponding to ports with larger assigned throughput will deliver more flows.
– In the example below, WAN 1 is configured via 50Mb/sand WAN 2 only 10Mb/s. When the load rate ratio is 5/1, for every 5 flows sent out of WAN 1, only 1 flow will be sent out of WAN 2:
III/. Activate Speed Tests with Load Balancing:
– While troubleshooting network problems, it is sometimes necessary to check network traffic using Internet services. When testing the speed of uplinks to the Internet using a client device on an MX configured with load balancing, this test may use only 1 uplink for multiple tests. If throughput varies between uplinks, this can produce unexpected results in speed tests to the Internet. This is also a function of the Load Balancing algorithm on Firewall MX.
– Traffic mapping (traffic path) to an Internet interface using source-destination IP address along with port number. Any newly initiated IP traffic that matches the source-destination IP address and port of an existing map will be sent over the same Internet interface. This is done to maintain the connection state of certain flows requiring the source and destination to remain the same throughout the connection. In the figure below, traffic for Host A (192.168.1.2) for the speed test has been mapped to Uplink 2. As long as these mappings are available, Host A’s results will always match Uplink 1’s while the of Host B will always match Uplink 2.
– Each Traffic mapping lasts for 3600s (1 hour) if no traffic arises that matches the mapping. This duration is reset every time newly generated traffic matches the mapping. With frequent communication between a pair of hosts, this can result in traffic always using a single uplink to communicate because the mapping is constantly being refreshed.
– In many cases, the throughput of the links connected to the MX will be different. For example, one uplink may be on a high-speed MPLS network link while another is a slower DSL connection, or upsteam (upstream) problems may cause congestion on a particular link. When testing uplink speed by testing Internet speed, it is best to test each uplink connection separately. This avoids the problem of being installed on the interface mentioned earlier and allows accurate measurement of Uplink port throughput.
IV/. Load Balancing and Connections using SSL/TLS:
– When a connection is established using SSL or TLS, it is common to check the source-port and IP address required. If there are inconsistencies in the received packet, the connection will be terminated. Some load balancing cases may encounter this situation when traffic is aggregated through many uplink ports at the same time.
– MX devices carry an aggregated link (Link Aggregation) solves the problem by separately coupling a data stream to an uplink port. In other words, when a TCP connection is established between the source and destination, the port and IP address that exist together will only pass through a certain uplink port to prevent the flow from being delivered to the uplink port, resulting in a lost connection. connect to the remote host computer.
V/. 1:1 or 1:Many NAT load balancing:
– Load balancing on the MX firewall device is designed as round-robin connections between all uplink WAN ports, thereby load balancing traffic between the two sides. Meanwhile, NAT rules are intended to map a public IP to one or more internal IPs, so traffic to/from internal devices will always use that public IP.
When the two features are used in combination, load balancing will cause traffic to flow out of an interface, even if a NAT rule is in place. This can cause problems sending traffic from an internal IP represented in a NAT rule.
– The following instructions explain how to use Uplink Preferences To ensure that NAT 1:1 or 1:Many NAT traffic uses the appropriate interface:
1- Go to the path Security & SD-WAN > Configure > SD-WAN & Traffic shaping.
2- Next comes the section Flow preferencesthen in section Internet trafficselect Add a preference.
3- Configure priority as below. In this case, Local IP range of IP 192.168.128.252/32 is the internal device referenced in a 1:1 NAT rule, and Preferred uplink is a link using public IP in the same rule.
4- Click Save changes.
!Note: Additional uplink options will need to be configured for each NAT rule. For a 1:Many NAT rule, each internal device will need to be given an Uplink preference. To simplify the list of Uplink preferences, a subnet can be assigned Local IP range instead of a single device.
BECAUSE/. Flow Preferences:
– By default (without load balancing), internet connection traffic will go out of the main uplink port. MX devices can also be configured to send traffic out of a specific interface based on the type of traffic (policy-based routing), or based on link quality (link quality) for each uplink (performance-based routing). Stream options (Flow Preference) can be configured to determine which uplink should be used. Flow preferences will also override load balancing decisions.
VII/. Internet Traffic:
– Flow preferences for traffic to the internet can be configured to force traffic through a specific uplink based on Source and/or Destination. Preference configurations can be used if a particular uplink should be designed for a specific type of traffic, such as traffic bound to a service on cloud storage.
!Note: ICMP traffic is not subject to traffic shaping regulations. Therefore, Flow Preference will not affect ICMP traffic.
– To create a flow preference for Internet traffic:
1- In p Dashboardto the path Security & SD-WAN > Configure > SD-WAN & Traffic shaping.
2- Go to Flow preferencesand below section Internet trafficselect Add a preference.
3- Determine which traffic will be assigned to a selected uplink:
Protocol – protocol is TCP, UDPor Any.
Source – source IP address, using CIDR notation.
Src port – Source-port, or to “Any“.
Destination – destination IP address, using CIDR notation.
Dst port – Dest-port, or to “Any“.
Preferred uplink – The uplink port that traffic will be sent through.
4-Click Save Changes.
VIII/. VPN Traffic and Performance Class Options:
– Flow preferences for traffic flow Meraki AutoVPN can be configured to send out a prioritized uplink. These options can be used to ensure that high-priority VPN traffic always takes the optimal path.
!Note: Flow preferences for VPN traffic are only valid for Meraki AutoVPN, and do not affect non-Meraki VPN applications.
– To create one Flow preference for VPN traffic:
1- In p Dashboardgo to the path Security & SD-WAN > Configure > SD-WAN & Traffic shaping.
2- In VPN trafficselect Add a preference.
3- In Traffic filterdetermine the traffic assigned to priority on the uplink:
Protocol – TCP, UDP, Any.
Source/Port – Source-IP and port.
Destination/Port – Dest-IP and port.
4- In Policy > Preferred uplinkdetermine how to choose an uplink for this traffic:
WAN 1/WAN 2 – Traffic will use this uplink until conditions are met Fail over if (error situation) encountered:
Poor performance – Traffic will not switch to the uplink if performance does not comply Performance class (Performance class). Class (class. class) this performance can be set as VoIP or an optional class.
Uplink down – Traffic will not switch to another uplink if the uplink is not faulty (down).
Best for VoIP – Traffic will use whichever uplink is determined to be most optimal for VoIP.
Load balance – If load balancing is enabled, traffic will be distributed among multiple supported uplinks Performance class determined.
Global preference – Traffic will use any established uplink Primary uplink.
– The Performance class can also be created to define minimum performance standards. If the criteria do not occur, traffic will be routed to the selected uplink port instead.
– To determine the Performance class:
1- In the Dashboard page, go to the link Security & SD-WAN > Configure > SD-WAN & Traffic shaping.
2- Below Custom performance classesselect Create a new custom performance class.
3- Determine minimum performance standards for this class:
Name – name this class.
Maximum latency (ms) – Maximum acceptable latency for this class, unit is milliseconds (milliseconds). Can also be left blank to ignore delay.
Maximum jitter (ms) – Maximum Jitter (stress) for this class, also measured in milliseconds. Can also be left blank.
Maximum loss (%) – Maximum packet loss rate, calculated as a percentage of lost traffic.
4-Click Save changes.
– This article about Configuring Load Balancing and Flow Preferences for Cisco Meraki MX Firewall devices ends. Hope this article will help viewers.
Xem tiếp...
