Meraki

Community

ASA 5516-X to Meraki MX84 migration

nikolaycholakov
Here to help
a week ago
a week ago

ASA 5516-X to Meraki MX84 migration

Hello, Team,

 

I hope you are all doing well.

 

I've been working on migration from ASA 5516-X to MX84 for quite some time now but being pulled into other projects in the meantime.

I've successfully managed to lose remote SSH access to the Core and Catalyst switches on the fence of the ASA while trying to migrate the STP from RSTP to MST.

 

nikolaycholakov_3-1744640294790.png

 

 

What are the first steps to process with this migration?

Do I plug the inside and dmz ports from the CATALYST SWITCH-1 into the MX free ports and replicate the configuration as per the ASA?

I've seen in some of the other posts that any non-meraki switch must be in MST. As you can see the topology is a mixed bag of vendors, thankfully mostly 99% Cisco!

How would I make sure the migration is successful and that I use a Meraki MX instead of the ASA?

I am currently running native vlan 13 on the Meraki side of the fence, whereas on the ASA part the native vlan is 1000. Will I have to change this and how to make sure I don't lose access to the NEXUS Cores and leafs? Make the change and each individual box?

Please feel free to criticise the network topology design and suggest to me best practices methods.

I am looking forward to hearing from you.



Lorem ipsum...
Nick

Labels:
0 Kudos
8 Replies 8
nikolaycholakov
Here to help
a week ago
a week ago

Ideally, I want it to be directly connected to the MX84.

nikolaycholakov_0-1744640892858.png

or even bypass the CATALYST-SWITCH-01 too:

nikolaycholakov_1-1744640978606.png



Which will be the better option? 

How would I achieve the desired outcome? What issues will I come across? How to prevent them?

0 Kudos
Mloraditch
Kind of a big deal
a week ago
a week ago

My main comment would be, why are you replacing a 5516 with an MX84? Both devices are announced EOL in 2026 and the 5516 provides more throughput and features. I can certainly see if your setup is simple enough migrating from ASA to MX, but I would want to be implementing a current model so I don't have to change things again in just over a year.

 

For STP I encourage you to read this article: https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Configuring_Spanning_Tree_on_Meraki_...
There is example code for IOS interoperability and an overall section on interoperability. I can't speak specifically to an environment such as yours you would have to consult the documentation for each vendor/operating system.

 

Regarding your comment about the ports connecting the firewalls to the switches, yes the trunking settings will have to match. I don't have a specific recommendation as it's really an either or scenario. One side you will have to change and one side you won't. It doesn't IMO matter which one.

Honestly my biggest recommendation is perhaps work with your partner or account manager and get some engineering assistance. You have a somewhat complex environment and I'm guessing based on the Nexus switches perhaps some mission critical items. What you want to do is definitely doable but may require more detail to properly plan than we can realistically provide here.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Mloraditch
nikolaycholakov
Here to help
a week ago
a week ago

Thank you, m'lord!

 

I appreciate the prompt input, i'm trying to make the environment more cloud-first and definitely the NEXUS Cores are a pain in the back with over 3000 VLANs configured on them, and just a couple in use. Will look into hardware refreshment once the environment is more stable. I think moving away from the ASA to the Meraki will give me a simpler management of the environment. 

0 Kudos
In response to nikolaycholakov
Mloraditch
Kind of a big deal
a week ago
a week ago

It will certainly be simpler, I would just verify your throughput needs won't be hampered. The MX84 will cap out around 320 mbps if security features are enabled and 500mbps total. The 5516 can handle up to 1.8Gbps total and 450ish if security features are enabled.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Mloraditch
nikolaycholakov
Here to help
a week ago
a week ago

Ahh, bugger, I came across these hardware throughput limitations with the Z3s and upgraded to Z4s for my home office users. Will you keep you posted on the MX84 refreshment, I raised a case with Meraki for engineering assistance too. Thank you for your guidance, m'lord! 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Is there any reason you can't do a "big bang" cut over and just move everything at once?

 

Don't forget to change the Nexus switches to using MST as well.

 

You have two connections between your ASA and Catalyst-1, inside and dmz.  If these ports are "switchports" on Catalyst-1 (as opposed to L3 ports), you'll need to convert these to a single trunked connection before migrating them across to the MX, otherwise spanning tree will shut one of the ports down.

In response to PhilipDAth
nikolaycholakov
Here to help
Tuesday
Tuesday

Thank you so much Philip!

 

I highly appreciate your input. This is what I was looking for! I was thinking if I should create a PortChannel with the new ports towards the MX or just use a single link. I will try the single link tomorrow.

Currently, the config of the ports towards the ASA are:

interface GigabitEthernet1/0/4
description #### ASA 5516-X MGMT PORT ####
switchport access vlan 250
switchport mode access
!
interface GigabitEthernet1/0/1
description #### ASA 5516-X PORT 4 - INSIDE INTERFACE ####
switchport access vlan 1000
switchport mode access
!
interface GigabitEthernet1/0/2
description #### ASA 5516-X PORT 5 - DMZ NETS ####
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1840-1855
switchport mode trunk

 

 

Will the new port towards the MX from the Catalyst look like this to make it work:

 

interface GigabitEthernet1/0/3
description #### MX84 PORT 8 - DMZ NETS ####
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1840-1855
switchport mode trunk


or

interface GigabitEthernet1/0/3
description #### MX84 PORT 8 - DMZ NETS ####
switchport trunk encapsulation dot1q
switchport trunk allowed vlan all
switchport mode trunk

 

 

or

interface GigabitEthernet1/0/3
description #### MX84 PORT 8 - DMZ NETS ####
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 250, 1000, 1840-1855
switchport mode trunk

In response to nikolaycholakov
PhilipDAth
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

MX does not support port-channels.  You can't use them.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.