MX84 HA setup tagged WAN ports

SOLVED
gmartine
Conversationalist

MX84 HA setup tagged WAN ports

usw-a, usw-b, usw-c, usw-d they are all UniFi USW-24 switches. Boxes in the middle are Meraki firewalls MX84 working on HA (active/backup), where top is active and bottom is backup.  usw-a & usw-b (Port#1) are ISP connections.  Application server will sit behind usw-c & usw-d

 

roght Noel the switches are managed static (public dmz zone). How can I get the wan ports to allow packets in two tsgged vlans? Let’s say Vlan 100 Internet and Vlan11 (tagged) managemet traffic?

8709276C-6082-4328-8976-B68E6BEBA95D.jpeg

 

 Any ideas ?

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

Correct, the MX84 simply bridges its LAN ports.  It looks to me like you should have a working setup now.

View solution in original post

10 REPLIES 10
PhilipDAth
Kind of a big deal
Kind of a big deal

The WAN ports can be tagged, but can only belong to a single VLAN.  You configure this via the local status page.

https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Using_the_Cisco_M...

The MX will use its WAN IP to talk to the Meraki cloud, and does not need a seperate management network.

 

If you have other devices needing to talk to the Internet that are attached to VLAN11, then you can connect those via the LAN ports and configure a VLAN11 there.  Note this would be using private IP address space.

https://documentation.meraki.com/MX-Z/Networks_and_Routing/Configuring_VLANs_on_the_MX_Security_Appl...

@PhilipDAth the issue here is that the port#1 for both usw-a and usw-b is not tagged.  At the same time devices a and b, need to connect to the Internet for management purposes but they need to be behind the firewall. I have the option to tag the management traffic for devices a and b. I forgot to say devices a, b, c and d are managed layer2 switches. Any ideas?

PhilipDAth
Kind of a big deal
Kind of a big deal

Port 1 (the ISP links) does not need to be tagged.  Just put it into a VLAN and present that to the WAN ports of the MX.

@PhilipDAth I can’t put not ISP traffic and management traffic in the same VLAN. That is my problem 


@PhilipDAth wrote:

Port 1 (the ISP links) does not need to be tagged.  Just put it into a VLAN and present that to the WAN ports of the MX.


 

PhilipDAth
Kind of a big deal
Kind of a big deal

Put the ISP traffic in one VLAN and present it to the WAN ports, and management traffic in another VLAN and present it to the LAN ports.

@PhilipDAthI guess after all I was missing a connection in my diagram.  I will have run another pair of cables just to carry the management traffic.


@PhilipDAth wrote:

Put the ISP traffic in one VLAN and present it to the WAN ports, and management traffic in another VLAN and present it to the LAN ports.


Here is the diagram.  I will use port#6 of the MX84 for both active/sparecluster modified.png

gmartine
Conversationalist

@PhilipDAth I completed the connections as previously shown on my earlier post. I can now see from usw-a the other switch usw-c. I assume the mx84 is bridging all LAN ports. Is that the correct assumption? 

gmartine
Conversationalist

@PhilipDAth Sorry I forgot to add the screenshot from the switch point of view B371A2EA-55D8-4385-89A8-DB69770DC105.png

 

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Correct, the MX84 simply bridges its LAN ports.  It looks to me like you should have a working setup now.

After adding the new links the setup is working as expected. The only drawback is that switch usw-b sees usw-a as its uplink through the ISP connection. The reason is because the spare mx84 I believe 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels