Meraki

Community

How to configure Cisco Router connected to MX Security Appliance as Default Gateway to Internet

ANarcis
Here to help
‎Mar 8 2019 6:17 AM
‎Mar 8 2019 6:17 AM

How to configure Cisco Router connected to MX Security Appliance as Default Gateway to Internet

Hi Guys,

 

The router utilizes sub-interfaces that connect to down stream switch

Are these configurations correct for router and MX  to provide clients connected to down stream  Switch Internet Service ?

 

Static IP configured on MX WAN Interface (Public IP)

Configure Vlan interface and IP Address on MX .

Assign switchport on MX to created vlan.

Configure router interface to be  in same subnet as vlan on MX

Connect Router interface to Switchport on MX

 

 Default Route on router pointing to ip address of vlan interface on MX.

 

 

0 Kudos
10 Replies 10
Ben
A model citizen
‎Mar 8 2019 7:01 AM
‎Mar 8 2019 7:01 AM

If i'm reading and interpreting your post correctly than yes that would work. 

Just to be sure your setup is

 

MX  <---->   Cisco router  <----->  switch <----->  clients    

 

 

Rgrds,

Ben

0 Kudos
In response to Ben
ANarcis
Here to help
‎Mar 8 2019 7:04 AM
‎Mar 8 2019 7:04 AM

Hi Ben,

 

Do I need to configure static routes on the MX that point back to the Sub-interfaces configured on the router ? 

0 Kudos
In response to ANarcis
Barry_Dickinson
Conversationalist
‎Mar 8 2019 7:37 AM
‎Mar 8 2019 7:37 AM

 

I have always connected a Cisco router on the MX on LAN port (3) and then add the Cisco's router's gateway 10.X.X.X/24 as a VLAN1 on the MX.

0 Kudos
In response to Barry_Dickinson
ANarcis
Here to help
‎Mar 8 2019 7:52 AM
‎Mar 8 2019 7:52 AM

Hey Barry,

 

MX ---- > Cisco Router 

So, your saying that default routes on MX that point to vlans downstream aren't necessary.

 

0 Kudos
In response to ANarcis
Barry_Dickinson
Conversationalist
‎Mar 8 2019 8:01 AM
‎Mar 8 2019 8:01 AM

 

You have to add the Cisco routers subnet as a routing VLAN on your MX and then go to the DHCP scope for the newly created VLAN and set it to relay DHCP to another server and then add your DNS below. 

 

 

 

 

0 Kudos
In response to ANarcis
Barry_Dickinson
Conversationalist
‎Mar 8 2019 8:02 AM
‎Mar 8 2019 8:02 AM

 

You have add the Cisco routers subnet as a VLAN on your MX.

0 Kudos
In response to Barry_Dickinson
BrechtSchamp
Kind of a big deal
‎Mar 8 2019 8:13 AM
‎Mar 8 2019 8:13 AM

@ANarcis You haven't answered @Ben but I'm going to assume that what he said is indeed what you're trying to do. The question whether you need a route on the MX pointing towards VLANs that are present on the Cisco router downstream depends on what you're trying to do and how the router is configured.

 

If addresses of those downstream VLANs need to be reachable from the outside, i.e. connections initiated from the outside (whether that be through port forwarding, 1:1 NAT, AutoVPN, ClientVPN, ...) then yes, you definitely need a route on the MX.

 

If you just need those VLANs to have connectivity to the internet then you could just turn on NAT-masquerading on the router. The disadvantage there is that you no longer have insight into the original source addresses of the packets as those will be overwritten by the router's outer-IP by NAT. I'm going to guess that that is not what you want. So if you want to do filtering on the MX you'll likely want the MX to know about the downstream VLANs. so you would not turn on NAT in the router and you would indeed need route(s) on the MX pointing towards the Cisco router.

 

I hope that clears up things.

0 Kudos
In response to BrechtSchamp
ANarcis
Here to help
‎Mar 8 2019 8:52 AM
‎Mar 8 2019 8:52 AM

Actually, as you mentioned I just need to provide the downstream Vlans internet, the MX WAN interface will be configured with the public ip. So, NAT will be turn on to re-write the source address of packets leaving the internal network.

0 Kudos
In response to ANarcis
BrechtSchamp
Kind of a big deal
‎Mar 8 2019 8:56 AM
‎Mar 8 2019 8:56 AM

Then no route is needed. The only IP address the MX will get to see is the Cisco router's outer IP address so the route would not get used. The Cisco router's outer IP is in a subnet on which the MX also has an IP address so it can reach it.

0 Kudos
In response to BrechtSchamp
ANarcis
Here to help
‎Mar 8 2019 10:30 AM
‎Mar 8 2019 10:30 AM

Yes quite true,

 

Guys thank you all for your assistance.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.