Thank you, that deck helped tremendously. I don't have enough networking background to translate everyone's suggestions into actual configuration settings, and that deck more or less did it.

---

A breakout switch between the MX and the ISP should be working as layer 2 only. Please make sure there is not L3 interface configured.

---

Thank you.

Not sure what this means in terms of where to go in the switch configuration and what to change, to ensure the switch stays in L2 mode. If it means "there is not L3 interface configured" - then what does that mean in terms of Interface (switch port?) configuration?

---

The recommended configuration is to have a copule of ports in access mode.

---

Assuming (for now) the switch will only have two connections - to the ISP circuit, and to the MX100, does this mean both of those should be in access mode?

---

If you are using other ports on the switch, is recommended if are trunk interfaces to prune the VLAN. Ex. use ports 1 and 2 for ISP modem and MX100, both in access VLAN 999. In any other trunk port in the switch do not allow VLAN 999.
I hope it makes sense.

---

The switch is dedicated to just being the breakout switch, i.e. no plans to use it for other tasks. This means ports other than the primary ones (one - to the ISP circuit, the other - to MX100's WAN port) can be used for two purposes only:

• management - connect to MX100's LAN port to ensure the MS220 switch remains manageable even if the ISP circuit drops
• testing and diagnosis - if there are issues with the ISP circuit, to ensure there can be a direct connection to it that bypasses MX100, yet that does not require disconnecting the MX100

With all that in mind - does something like this make sense, and does it look secure enough?

1. Port 1: to ISP circuit

2. Port 2: to MX100 WAN port

3. Port 3: to MX100 LAN port (for management)

• MS220-8 Port 1: to ISP circuit 1
• Type: Access
• VLAN: 991 (not present anywhere else on the network)
• MS220-8 Port 2: to MX100 WAN 1 port
• Type: Access
• VLAN: 991
• MS220-8 Port 3: to MX100 LAN port (for management)
• Type: Trunk
• Native VLAN: ?
• Allowed VLANs: none?
• MX100 WAN 1:
• VLAN ID: 991?
• IP config: (specific to the ISP circuit)
• MX100 LAN port (e.g. 5): no configuration options available
• Switch management: via MX100 LAN port

Thanks again!

---

The cable modem is using a plain routed address block, like a /29?

 

If it is passing through PPPoE then you may have issues.

---

Two ISP circuits in play:

• a cable modem (Spectrum Business) + 4-port router with DHCP, with static IPs that come with the service
• a so called "DIA" circuit from Frontier with a RAD ETX-203ax "demarcation" device - with a /29 address block.

Either one is working OK when connected directly to the MX100. I'd like to put a "breakout" switch(es) between the circuits and the MX, and configure everything securely.

Got a good response from Meraki support:

• The first thing you will need to take care of is the switch configuration.
  • The switch can get its management from the LAN of the MX, unless you want it to always be reachable even if the MX is down, in which case you will need to assign it a public IP from the same pool the MX is getting.
  • The ports that are assigned to the ISP circuit will be configured as access ports on a VLAn that will not be used on the LAN.
  • Depending if you assign a public IP to the switch or not, the management of the switch will be statically configured on that VLAN, otherwise it will get the management from your vlan of choice from the MX.
• No configuration changes will be needed on the MX and you will need to connect cabling accordingly to the selected ports for the ISP circuit on the switch.

... although still have trouble translating it to actual configuration steps.

So far my "translation" into configuration steps or options is as follows:

• MS220-8 Port 1: to ISP circuit 1
• Type: Access
• VLAN: 991 (not present anywhere else on the network)
• MS220-8 Port 2: to MX100 WAN 1 port
• Type: Trunk
• Native VLAN: not configured (empty)
• Allowed VLANs: all
• MX100 WAN 1:
• VLAN ID: not configured (empty)
• IP config: (doesn't matter - whatever works for that specific ISP circuit, including DHCP)
• Switch management: via static IP configured for the ISP circuit

• MS220-8 Port 1: to ISP circuit 1
• Type: Access
• VLAN: 991 (not present anywhere else on the network)
• MS220-8 Port 2: to MX100 WAN 1 port
• Type: Trunk
• Native VLAN: not configured (empty)
• Allowed VLANs: all
• MS220-8 Port 3: to MX100 LAN port (for management)
• Type: Trunk
• Native VLAN: not configured (empty)
• Allowed VLANs: all
• MX100 WAN 1:
• VLAN ID: not configured (empty)
• IP config: specific to the ISP circuit
• MX100 LAN port (e.g. 5): no configuration options available
• Switch management: via MX100 LAN port

• Does the LAN port connection from MX100 to switch (and thus, directly to the ISP circuit) make the configuration vulnerable in any way?

I've often added a switch between the ISP device and the MX (mainly to split the circuit to two MXs as an HA pair), but I always use a dumb unmanaged L2 switch. 

Why do you want to manage the WAN switch?  In my opinion it adds a security risk and a reliability risk that I'd rather not have.

I hear you on simplicity, security and reliability.

One reason to use a switch like that is because we have it... 🙂

The other - to counter ISP's assertion of "you have a lot of errors on your side" and get port error stats from a switch that can collect and report them.

(Generally, get a little better visibility into WAN traffic.)

Yet another: ease of configuration and testing. Configure two ports for one ISP circuit, another two - for the 2nd one, another - for a cellular uplink, isolate them all, see them all...