Layer 2 connection in MX and other Firewall

Solved
AYEN
Getting noticed

Layer 2 connection in MX and other Firewall

Hi Everyone,

 

     I have an ongoing deployment from US and we are using MX105 for SDWAN purposes. In these projet we have a limited view on the configuration except on our own Meraki MX. They give us VLAN and IP address assigned to be able to connect on their network and that's the challenge. The problem we encountered was we cannot ping the firewall IP address.

 

       Firewall  ------ Switch----Switch----------- 10.136.2.178 VLAN 10    MX
   10.136.2.177          layer 2 | No SVI |  ----------  10.60.4.2      VLAN 20  105

    10.60.4.4

  

    According to US Engineer the port of Switch going to MX was configured As Access mode for their respective port VLANs. For MX configuration we all knew that the MX is not capable in STP therefore we configure the port as Trunk or Access and specify the VLAN mentioned above to avoid loop. We tried everything on the MX configuration to reach the Firewall IP but we can't. And please help me to understand why the Switch recieved same Mac address from MX and received RSTP in packet captured?

 

Thanks

1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal

In your case, as you are using VLAN, I would not have a port for each VLAN but rather a single port in trunk mode.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal

This is more like some deny on the net. Any chance of having a firewall rule blocking ICMP?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
AYEN
Getting noticed

Hi, 

 

      Do you have an idea why the switch receive same mac address from MX?

alemabrahao
Kind of a big deal
Kind of a big deal

How did you reach that conlucsion?

If you are talking about the port's ARP, it is normal, the ARP on the switch port will exist on the device's mac connected to it.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
AYEN
Getting noticed

On our setup the two LAN port of MX which is connected to the LAN port of switch received same mac address although they configured with different VLANs, is it normal? To make it short the LAN port of MX has no individual mac address?

 

Thanks.

alemabrahao
Kind of a big deal
Kind of a big deal

Nope

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
AYEN
Getting noticed

Thank you sir

AYEN
Getting noticed

I want to verify if these setup in meraki MX is feasible. On core switch the IT gave us 2 port connection for MX105 LAN port. Core switch Port1= Switchport mode access vlan 852, Port2=Switchport mode access vlan 851. And for the MX105 we tries different configure TRUNK and ACCESS, NATIVE VLAN 1 or VLAN 852 nad 851. But still we can reach the firewall IP address. In core switch there's no SVI only Layer 2. Any one can help me what is the best config for MX if Access mode on core switch only allowed?

alemabrahao
Kind of a big deal
Kind of a big deal

In your case, as you are using VLAN, I would not have a port for each VLAN but rather a single port in trunk mode.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
AYEN
Getting noticed

Hi Alemabrahao,

 

    We will try your advise but I think we need to add a layer 2 switch in between of MX105 and core switch since we don't have any authority to change that configuration from Core switch. One more question, is MS switch have port mac address in every LAN port?. I don't see any documentation for that information. Thank you in advance if you share to me those information.

alemabrahao
Kind of a big deal
Kind of a big deal

Switches do not have mac ports, they have a single mac which is the system mac.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels