MX65 Functionality

diablo24
Building a reputation

MX65 Functionality

Hi,

 

I'm trying to understand how the MX firewall routes packets in and out of a single interface. I have an MX65 with two WAN links, however, I only have on link configured via DHCP. It has a public IP and is being managed via the dashboard. Now here's my questions:

 

1. Is it possibly the case that the one interface with IP is really only for management, but that the real firewall policy is between two L2 interfaces? 

2. Does the device have one IP’d interface, and another interface with no IP?  Or does it really only have the one interface, traffic comes in, and if it passes, it goes back exactly where it came from?

3. Does the MX have any other rules/constraints about surrounding network, like “there must be two connected routers”?

4. If you send traffic to a device with one interface, let it filter/route, then let it send the traffic back out the SAME interface, then the next device along the path is likely to reject the traffic as a loop!?

2 REPLIES 2
jdsilva
Kind of a big deal

1. No

2. Yes, unless you configured a static IP on the second interface. 

3. No

4. Not likely. But that depends on what type of device it is and what features it has enabled. 

 

Your scenario is kinda confusing to me though. Can you add a diagram and show the traffic flow you're speaking of?

Adam
Kind of a big deal


@diablo24 wrote:

Hi,

 

I'm trying to understand how the MX firewall routes packets in and out of a single interface. I have an MX65 with two WAN links, however, I only have on link configured via DHCP. It has a public IP and is being managed via the dashboard. Now here's my questions:

 

1. Is it possibly the case that the one interface with IP is really only for management, but that the real firewall policy is between two L2 interfaces? 

2. Does the device have one IP’d interface, and another interface with no IP?  Or does it really only have the one interface, traffic comes in, and if it passes, it goes back exactly where it came from?

3. Does the MX have any other rules/constraints about surrounding network, like “there must be two connected routers”?

4. If you send traffic to a device with one interface, let it filter/route, then let it send the traffic back out the SAME interface, then the next device along the path is likely to reject the traffic as a loop!?


1.  If you go to Security Appliance>Traffic Shaping you'll need to enable Load Balancing if you want it to use both WAN interfaces actively.  

2.  Both WAN interfaces will have an IP, whether DHCP or static.  You have to login to the MX's local status page to designate/enable the second WAN port as internet. It will show WAN1 and WAN2 in the dashboard.

3.  No, the MX doesn't really care what is upstream from it.  As long as the WAN connection has internet.

4. The MX will manage incoming/outgoing.  Traffic sent out one interface will be returned through the same interface.  You can also create preferences if you desire on the 'Traffic Shaping' page mentioned above.  For example, if you had one highspeed and one medium speed connection you may want to set an internet preference for the higher speed WAN connection. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels