Meraki

Community

Having 2 dedicated WAN switches ?

AlexL2
Here to help
Tuesday
Tuesday

Having 2 dedicated WAN switches ?

Hello,

 

I have a design question, we are planning to implement a new Meraki infrastructure with the following devices :

 

- 2 x MX450

- 2 x C9300X-12Y-M

- 2 ISP

- some access switches 

- some Access Points

 

we have been asked to add 2 additional and dedicated « WAN switches » between the 2 ISP and the 2 MX because they don’t want the 2 ISP to be connected to the MX or to the « LAN switches ».

 

is it a recommended design? I can’t find any related documentation.

 

thanks,

 

Alex

Labels:
0 Kudos
22 Replies 22
alemabrahao
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

Yes, it is. Take a look at this link.

 

https://docs.google.com/presentation/d/1SBngZ5lBUa8fYSsIxhtxj2IYoKHwk4dZlNj7Wu3LcLU/edit?slide=id.p1...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
AlexL2
Here to help
Wednesday
Wednesday

Thanks !!! That's really helpful !

0 Kudos
Brash
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

Yes, it's not uncommon to have switches in between the ISP NTU and the MX WAN ports, particularly when multiple ISP links are involved.

 

While Meraki switches can be used if setup correctly, some people suggest non-Meraki or unmanaged switches as it's easier for both:

 - Accurate client statistics in the Meraki dashboard

 - Management traffic flow from the WAN switches

KarstenI
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

I am a big believer in having dedicated WAN switches. Connecting the Firewall to the ISP on the LAN side introduced a physical bypass around the firewall, which is a no-go for me.

 

I typically use non-Meraki switches with 8 or 16 ports for that:

  • CBS350
  • Catalyst1000, 1300
  • Mikrotik

But sometimes also Meraki MS (in a separate Dashboard network due to client sampling).

 

These WAN-Switches connect to a Firewall DMZ for management.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
AlexL2
Here to help
Wednesday
Wednesday

Thanks for your reply.

What do you mean by client sampling ?

0 Kudos
In response to AlexL2
KarstenI
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

The dashboard doesn't like seeing the same flow on both sides of the firewall. It's no problem if the traffic behind the firewall is on a switch in a separate dashboard network.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
AlexL2
Here to help
Wednesday
Wednesday

I see, thanks 🙂

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

You can also ask the ISP whether their CPE device can support two MXs plugged directly into it.  This is the easiest solution.

0 Kudos
In response to PhilipDAth
AlexL2
Here to help
Wednesday
Wednesday

That was my idea but unfortunately, the customer doesn't want the MXs tu be directly plugged to the CPE devices.

0 Kudos
In response to AlexL2
KarstenI
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

That would be the best, as it also removes one point of failure. But, to my experience, most ISPs don't do that. Why doesn't the customer like it?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
AlexL2
Here to help
Wednesday
Wednesday

For "security reasons", they prefer to have a L2 switch between ISPs and MX

0 Kudos
In response to AlexL2
KarstenI
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

An Ethernet-cable is more secure than a switch. 🙂

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
AlexL2
Here to help
Wednesday
Wednesday

That's true 😁

0 Kudos
In response to AlexL2
alemabrahao
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

I've also heard some say that disabling DHCP on a network is a security measure.

A poorly trained user makes the network more insecure than anything else. 😅

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
AlexL2
Here to help
Wednesday
Wednesday

Is something like this feasible ? Red cables are going to the access switches

Network_Design.png

0 Kudos
In response to AlexL2
KarstenI
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

If you ask me, yes. If you ask @PhilipDAth he would suggest a solution that doesn't need STP to disable a port.

https://cyber-fi.net/index.php/2022/03/13/how-to-connect-the-meraki-mx-to-ms-switches/

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
alemabrahao
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

But as far as I remember, in the suggested scenarios, it's recommended as good practice to have STP enabled, isn't it?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
KarstenI
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

It's what Meraki's documentation suggests. But you are no Network Admin if you never brought down a network due to STP misconfiguration ... 😉

The other option can be more stable as it doesn't rely on STP to disable ports on the internal switch. All ports to the MX are active and forwarding.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
AlexL2
Here to help
Wednesday
Wednesday

The issue I have is that the 2 core switches will be splitted in two different IT rooms so I am also considering using EVPN but I don’t want to make it too much complex for the customer 

0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

This is another case why Meraki needs to make the disable client sampling on specific ports configurable instead of the only excluse uplinks at it does now.

In many designs you have 2 internet providers on opposite ends of the campus where you can't just use dumb switches between the ISP router and the MX WAN ports due to no fiber supports.  So then you need to be able to pass that traffic on the same switches but on a dedicated WAN VLAN.

For these ports we should be able to disable the client sampling feature.

In response to GIdenJoe
AlexL2
Here to help
yesterday
yesterday

Yes i am waiting for the exact number of fibers, hopefully there will be enough 🙂

 

I also have a concern regarding the core switches where stacks of access will be connected, as the customer wants to have them connected in dual attach to each core switch (make sense) but the core switches will be installed in 2 different IT rooms in 2 different floors.. as these are 9300, there is no way to have stackwise virtual, should I consider EVPN ? 

 

Thanks,

0 Kudos
In response to AlexL2
GIdenJoe
Kind of a big deal
Kind of a big deal
5 hours ago
5 hours ago

Hmm, indeed once your design asks for distribution switches that are physically separated you need 9500/9600 with Stackwise virtual if you want to keep a simple layer 2 design.

In your case by using 9300's this is no longer possible so yes having a spine-leaf architecture with a EVPN fabric would be an option.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2026 Cisco Systems, Inc.