MX Pass-Through?

SOLVED
TBisel
Getting noticed

MX Pass-Through?

So we have a vendor that installs safety equipment, that equipment needs a router installed by this vendor. For me to VLAN this off on the switch and AP side is easy, but how will I add a router on the inside of my network and not cause issues with the MX? Would it go into a pass-though mode? This will be completely segmented and cut off from my internal network with no communication between our systems and the safety systems is needed. Best case would be I would have two lines coming in but that inst possible. Does the MXs have a pass-through VLAN setting or is there a "best practice" way to do this? I cant be the first one to have this issue.

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

5 REPLIES 5
ww
Kind of a big deal
Kind of a big deal

You added that equipment and router to a layer2 vlan on switches and ap.

 

why you need to connect that vlan on the mx ? 

 

if you need this , blocking all traffic to your LAN with a acl is not enough? you could also bypass the mx and connect it to internet directly?

TBisel
Getting noticed

I need to provide a way to the internet from their router. I would like to bypass the MX entirely and connect it to the internet directly but that is not a possibility for me, that is why I am looking for another option. And I can just make deny rules so VlanA cant talk to VlanB and vice versa, but would the MX and the other router cause issues when trying to find a way out to internet? Also this company needs to VPN into their network, so I dont know if the double NAT would allow that.

TBisel
Getting noticed

Currently I am waiting to hear back from them, see if there is a possibility for them to keep the access and functions that they need, and turn off NAT on there router and change gateway address on their DHCP to my MX. Anyone see any problems that would arise from that?

PhilipDAth
Kind of a big deal
Kind of a big deal

Yes you could just create an additional VLAN on your MX and create firewall rules to prevent the two of them talking to each other.

 

https://documentation.meraki.com/MX/Networks_and_Routing/Configuring_VLANs_on_the_MX_Security_Applia...

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Firewall_Settings

I have a client in a similar position.

 

We agreed to put their router on front of the Meraki and keep their equipment completely off our network.  Sine they get into their equipment from.a fixed ip address over SSH, I like the idea of there being two different networks.

Dave Anderson
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels