Meraki

Community

MX Firewall between two separate LAN networks

Tylere
Conversationalist
‎Oct 25 2023 1:35 PM
‎Oct 25 2023 1:35 PM

MX Firewall between two separate LAN networks

I am not sure if this or the switching forum is appropriate.  I am changing over from using a standard Cisco ios layer 3 switch as my core router, to using a Meraki layer 3 switch.  My question/need for help.  This core router does all my internal routing, but it also has a outside agency that has a direct fiber connection into my network, and its connected directly to this core router.  with Cisco ios I can configure that physical interface with an IP address, create an ACL, tie it to that interface, and create a route to channel allowed traffic between networks.

 

Moving now to using a Meraki Layer 3 switch as my core router for the network, how do i mimic this same process?  I don't see any where that i can tie an ip address to a specific interface on the Meraki layer 3 switch.

 

With that said my plan was to an actual Meraki MX device between the two networks, and use the MX device strictly to control traffic between the networks.  This is the more traditional approach, when you would ASA or PIX firewalls to control traffic between two physical networks.  Is that possible to setup and do in this scenario?

 

Thanks for any help.

Labels:
0 Kudos
2 Replies 2
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 25 2023 1:40 PM
‎Oct 25 2023 1:40 PM

In fact you cannot assign an IP to a physical interface of an MX, but I don't see a problem with this solution that you are thinking of doing with the MX, if I'm not mistaken I have already done something similar, the difference is that I used two MXes.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Brash
Kind of a big deal
Kind of a big deal
‎Oct 25 2023 2:30 PM
‎Oct 25 2023 2:30 PM

For the L3 switch setup, instead of assigning an IP on the switch port (which you can't do on Meraki switches), you can use a transit VLAN.

Basically select a VLAN that's not in use anywhere else in your network, configure and L3 interface on the switch with that VLAN and the applicable IP, and set the port connecting to the 3rd party as an access port with that VLAN tag.

 

You can then setup ACL's on the Merakis switch as per previous.

 

For the method using the MX, that should also work. You'd probably configure it in routed mode with the LAN port facing the 3rd Party and the WAN port facing your network.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.