@Mloraditch 

Thanks for the info. I'll check out those models. 

The switch's management uplink would connect to our internal core switch? Are there any security concerns with that? 

@Mloraditch 

I think we need three SFP+ ports on a switch; one for the fiber into the switch from the ISP's DIA, then one to each of the Meraki MX95s. If I'm sticking with your MS130 recommendation, would the switch I'd need be MS130-24X-HW? 

Would this be the topology? (blue = gigabit RJ45, orange = 10g fiber)

I have an RJ45 port on the MS130 going to a LAN port on each MX for management. I figured I could create a vlan on the MX95s that wouldn't go inside, and would just provide internet access to the MS130 so it could get to the Meraki dashboard. 

That switch appears to be more expensive that what I had in mind. Anything cheaper you are aware of? 

I'm going to take a different strategy.

Ask the ISP performing the upgrade whether they can provide a pair of SFP+ ports in a bridge configuration to connect the primary and backup firewalls.  It will be easier for you if they take this on.

If they are not keen, ask them what they would charge to provide this service.

Otherwise, I think the MS130-24X is the lowest spec Meraki switch that has 4 SFP+ ports (you need three ports).

https://documentation.meraki.com/Switching/MS_-_Switches/Product_Information/Overviews_and_Datasheet...

Also, do you have a 10Gbe connection between the MX95 and your 6509?

Hello @PhilipDAth 

The ISP has provided quotes for both single and dual hand off. While architecturally preferable, the dual hand off increases the cost per month significantly. I'm trying to make sure I have all the info when I go to my superiors with the options. Example; they'd probably want to know if we could save $200 a month for 3yrs by employing a switch. 

I do not currently have 10Gbe connections between the MX95s and the 6509. But there are ports available on all hardware. I assume, dual or single hand off, moving to these connections would be a requirement of going above 1Gbe. 

@Mloraditch 

"oh duh" moment. I did not realize the MX95's RJ45 WAN ports where 2.5Gbe. The cost of the MS130-8X-HW is much more palatable. So looking at this architecture now. Thoughts? 

@Mloraditch A follow up question to that too. For the MS130-8X-HW, do I need the enterprise or advance license? 

@Mloraditch @PhilipDAth 

Thank you both for your help. 

This might work, but it only has two SFP+ ports, but it does have 4 - 10GB multi-gigabit copper ports.

And this switch can be managed by the Meraki dashboard with the latest IOS-XE firmware.

Of course the UPoE would be completely wasted...

@jbright Thanks for the switch option. I think I'm sticking with the MS130-8X-HW. The MS130-8X-HW appears to be a cheaper switch. 

We've implemented the following. 

On the MS130-8X, ports 1 and 2, are connected to LAN ports on the MX95s, on a dedicated vlan I created on the MX95s, to allow the MS130-8X to communicate with the Meraki dashboard. Currently, I have no additional restrictions on that vlan. For security, should I put restrictions on that vlan, or is it fine as is? 

@PhilipDAth 

Since that vlan is getting DHCP from the MX95s, and is only needed on the MX95s and MS130, would you suggest blocking the traffic through an ACL on the 6509 core switch? I'm thinking that would leave the switch exposed to the outside, able to communicate with the Meraki dashboard, and unable to communicate to internal systems. 

I've got this implemented. 

Ports 1 and 2 on the Meraki MS130-8X that go to the LAN ports on the Meraki MX95s are using their own VLAN, which is getting DHCP from the MX95s and blocked from other VLANs via ACL on the 6509 core switch. 

Later this year we are likely replacing the 6509 core switch, which is currently overkill. Considering a Cisco 9300X stack. 

My question now is, when we do the core switch upgrade, why do I need the Meraki MS130-8X or the unmanaged Cisco switch to divide ISP traffic between the MX95s at all? Can't I just connect everything to the core switch, and use vlans and ACLs on the core switch to block traffic between ISPs/outside and LAN/inside? Example topology;