MX as an internal Firewall

Solved
johnnyw827
Conversationalist

MX as an internal Firewall

Trying to set up a MX as an internal firewall in routed mode (can't connect to Meraki dashboard at the moment). I have a Cisco Catalyst 9404 port set up as a trunk with the native vlan set to 903. That is plugged into a mx100 with the internet (WAN) link set up with VLAN tagging - 903 and a /30 IP that is in the same subnet as SVI VLAN 903. Is this configuration supported? 

1 Accepted Solution
KarstenI
Kind of a big deal
Kind of a big deal

Make sure that WAN1 can get out and you should be good to go. This WAN interface doesn't have to do anything regarding firewalling. If you have dashboard access you can do all your firewalling on your VLAN-traffic.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

4 Replies 4
KarstenI
Kind of a big deal
Kind of a big deal

As long as the MX can reach the dashboard, it can be used as an internal firewall. However, I don't think the MX is the optimal choice for this.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
johnnyw827
Conversationalist

The link doesn't come up, so I don't think it's a supported configuration. We do the same thing for MS switches, and it works fine. I agree that it's a poor choice for internal firewalling.

KarstenI
Kind of a big deal
Kind of a big deal

Make sure that WAN1 can get out and you should be good to go. This WAN interface doesn't have to do anything regarding firewalling. If you have dashboard access you can do all your firewalling on your VLAN-traffic.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
GreenMan
Meraki Employee
Meraki Employee

Why set up the link between the link between the Catalyst and the MX as a trunk?   While you can do this, it doesn't add much, as you can't operate multiple SVIs over that link.   I'd just go for an access setup in your chosen VLAN, without any tagging.   Hard to say if the MX is appropriate as a purely internal firewall, without knowing exactly what you're wanting from it, though it is certainly true to say this is a fairly rare deployment scenario for an MX.   Remember that, by default, traffic between different VLANs is permitted by an MX - you'd need to configure specific deny rules.    You might also want to look into using no-NAT on the WAN interface:  https://documentation.meraki.com/MX/Networks_and_Routing/NAT_Exceptions-No_NAT_on_MX_Security_Applia...

Get notified when there are additional replies to this discussion.