MX Architecture Question

MarshMadness
Here to help

MX Architecture Question

We are a smaller elementary/preschool/church with 1 MX84, 3 Aruba 2530's and 12 MR's of various models.  Just looking to see how common of a practice it is to place an MX84 directly on the internet (meaning not behind any ISP equipment.)

 

I am in the process of VLAN'ing the network and wondered if i should consider removing the AT&T provided hardware as well.

 

Thanks in advance for any input or advice.

10 Replies 10
PhilipDAth
Kind of a big deal
Kind of a big deal

If possible, I was plug the ISP circuit directly into the MX.

MarshMadness
Here to help

Thank you for your input.  If my ISP will allow for it, it would seem that this is the way to go.

jdsilva
Kind of a big deal

Plugging an MX directly into the Internet is the only way we deploy them.

MarshMadness
Here to help

Thank you for your input. If my ISP will allow for it, it would seem that this is the way to go.

WillN
Getting noticed

We deploy many on bearer circuits that use ethernet presentation. They serve as CE (edge devices) suitably enough, and maybe one day they'll even come with a DSL connection as well *fingers crossed*

It's a reasonable UTM, so best efforts security FW, and some LAN capabilities to manage the rest of your estate using VLANs so all should be good.

I am sure we can pitch in with ideas if you need.

cmr
Kind of a big deal
Kind of a big deal

@MarshMadnessif you have the enterprise subscription on your MX then you may well want to leave another more fully featured device on the WAN side of it, however it is fairly unlikely that the AT&T device is such a thing, if you let us know the model I'm sure someone here will know.  If you have the advanced license then you definitely don't need the provider's equipment unless it is a media convertor (DSL to eithernet etc.) or the contract stipulates that you must use their edge device.

 

You can tell what MX license level your organisation has by going to Organization / License info as below, as you can see we only use Enterprise as we don't use our MXs as corporate edge firewalls:

 

cmr_0-1582276919746.png

 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
MarshMadness
Here to help

Thank you for your input.  If my ISP will allow for it, it would seem that this is the way to go.

I should have included that we do have the Advanced Security license and i am actively looking into supplementing with Umbrella as well.

Next steps I will look into whether i can ditch the AT&T gear.

MarshMadness
Here to help

As it turns out after getting off of a call with ATT Support, our DSL MODEM is required as you indicated to be inline but can be put in pass-thru mode simple enough via a couple of clicks and configuring the MX MAC.

 

If anyone can think of any "gotchas" or make sure to do XXXX, please let me know.

 

I may give this a go on Sunday afternoon when i can get some uninterrupted time (volunteer IT guy for a non-profit...)

WillN
Getting noticed

Hmm Gotchas hmm

Make sure your Meraki is on latest firmware. Some early build MX250/450s don't support /31 addressing until they're updated from factory level (you're running live already so no issues but will put in just in case a factory reset happens).

If in Passthrough then your MX may end up doing the PPPoE authentication. If you have a static IP address assigned then best configure the WAN to USE that address rather than rely solely on PPPoE username and password.

Check for VLAN tagging; in cases where you use static IPs only and no PPPoE authentication, then tagging must be watched out for on the Meraki. (We used Draytek V130 modems and had to tag the Modem + MX to get it to work.)

Ensure your router that is soon-to-be in passthrough, doesn't do anything silly like operate wifi even though its a L2 device. I've seen a few boxes that despite turning it into a bridge, makes all wifi connections L2 (fails to find DHCP.. or worse.. finds them and allows wifi users onto the network without firewall protections.).. Don't ask me how that was achieved 😛 ... magic I guess.

Once connection through other device is established run your throughput testing (Security Appliance > Appliance Status > Tools) disregard the result, but watch in the uplink tab to see a good measure of the bearer cct with device in the way. It should be limited to bearer speed and not to 1Gb which is the negotiated duplex between the passthrough router - MX.

That's all I can think of for now, sorry if some of them are like teaching grandma to suck eggs. All came out in a big expositional dump XD

MarshMadness
Here to help

Thank you for your input. If my ISP will allow for it, it would seem that this is the way to go.

I am sure that i will be posting again shortly for some VLAN questions.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels