Meraki

Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX84 HA setup tagged WAN ports

Solved
gmartine
Here to help
‎Aug 7 2018 12:30 AM
‎Aug 7 2018 12:30 AM

MX84 HA setup tagged WAN ports

usw-a, usw-b, usw-c, usw-d they are all UniFi USW-24 switches. Boxes in the middle are Meraki firewalls MX84 working on HA (active/backup), where top is active and bottom is backup.  usw-a & usw-b (Port#1) are ISP connections.  Application server will sit behind usw-c & usw-d

 

roght Noel the switches are managed static (public dmz zone). How can I get the wan ports to allow packets in two tsgged vlans? Let’s say Vlan 100 Internet and Vlan11 (tagged) managemet traffic?

8709276C-6082-4328-8976-B68E6BEBA95D.jpeg

 

 Any ideas ?

0 Kudos
1 Accepted Solution
In response to gmartine
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 9 2018 12:28 PM
‎Aug 9 2018 12:28 PM

Correct, the MX84 simply bridges its LAN ports.  It looks to me like you should have a working setup now.

View solution in original post

0 Kudos
10 Replies 10
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 7 2018 12:53 AM
‎Aug 7 2018 12:53 AM

The WAN ports can be tagged, but can only belong to a single VLAN.  You configure this via the local status page.

https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Using_the_Cisco_M...

The MX will use its WAN IP to talk to the Meraki cloud, and does not need a seperate management network.

 

If you have other devices needing to talk to the Internet that are attached to VLAN11, then you can connect those via the LAN ports and configure a VLAN11 there.  Note this would be using private IP address space.

https://documentation.meraki.com/MX-Z/Networks_and_Routing/Configuring_VLANs_on_the_MX_Security_Appl...

0 Kudos
In response to PhilipDAth
gmartine
Here to help
‎Aug 7 2018 4:21 AM
‎Aug 7 2018 4:21 AM

@PhilipDAth the issue here is that the port#1 for both usw-a and usw-b is not tagged.  At the same time devices a and b, need to connect to the Internet for management purposes but they need to be behind the firewall. I have the option to tag the management traffic for devices a and b. I forgot to say devices a, b, c and d are managed layer2 switches. Any ideas?

0 Kudos
In response to gmartine
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 7 2018 12:25 PM
‎Aug 7 2018 12:25 PM

Port 1 (the ISP links) does not need to be tagged.  Just put it into a VLAN and present that to the WAN ports of the MX.

0 Kudos
In response to PhilipDAth
gmartine
Here to help
‎Aug 8 2018 10:37 AM
‎Aug 8 2018 10:37 AM

@PhilipDAth I can’t put not ISP traffic and management traffic in the same VLAN. That is my problem 

@PhilipDAth wrote:

Port 1 (the ISP links) does not need to be tagged.  Just put it into a VLAN and present that to the WAN ports of the MX.

 

0 Kudos
In response to gmartine
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 8 2018 12:41 PM
‎Aug 8 2018 12:41 PM

Put the ISP traffic in one VLAN and present it to the WAN ports, and management traffic in another VLAN and present it to the LAN ports.

In response to PhilipDAth
gmartine
Here to help
‎Aug 8 2018 7:55 PM
‎Aug 8 2018 7:55 PM

@PhilipDAthI guess after all I was missing a connection in my diagram.  I will have run another pair of cables just to carry the management traffic.

@PhilipDAth wrote:

Put the ISP traffic in one VLAN and present it to the WAN ports, and management traffic in another VLAN and present it to the LAN ports.

Here is the diagram.  I will use port#6 of the MX84 for both active/sparecluster modified.png

0 Kudos
In response to gmartine
gmartine
Here to help
‎Aug 9 2018 10:08 AM
‎Aug 9 2018 10:08 AM

@PhilipDAth I completed the connections as previously shown on my earlier post. I can now see from usw-a the other switch usw-c. I assume the mx84 is bridging all LAN ports. Is that the correct assumption? 

0 Kudos
In response to gmartine
gmartine
Here to help
‎Aug 9 2018 10:10 AM
‎Aug 9 2018 10:10 AM

@PhilipDAth Sorry I forgot to add the screenshot from the switch point of view B371A2EA-55D8-4385-89A8-DB69770DC105.png

 

 

 

0 Kudos
In response to gmartine
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 9 2018 12:28 PM
‎Aug 9 2018 12:28 PM

Correct, the MX84 simply bridges its LAN ports.  It looks to me like you should have a working setup now.

0 Kudos
In response to PhilipDAth
gmartine
Here to help
‎Aug 15 2018 8:12 PM
‎Aug 15 2018 8:12 PM

After adding the new links the setup is working as expected. The only drawback is that switch usw-b sees usw-a as its uplink through the ISP connection. The reason is because the spare mx84 I believe 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.