Hi All,
I'm planning to setup a Meraki campus using two tier firewall for a branch office, would be happy to get some ideas, if Meraki MX platform can support, what I am planning to do.
1. MX as external internet firewall (NAT mode)
2. Cisco platform as internal firewall
3. MS 410 as L3 transit switch with MPLS link to access internal LAN through Cisco firewall from other branch & DC.
4. MS 410 as Core/Aggregation switch.
5. MS 120 as Edge switches.
The design is not a HA setup,
MX will be gateway for Guest WiFi network.Cisco Firewall will be gateway for Inside LAN network.
Guest Wifi Vlan will by-pass internal Firewall and go directly to MX for internet access.
All Inside LAN traffic will go through Cisco internal firewall for inter-vlan routing and pass through L3 transit switch for internet access. L3 MS 410 transit switch will have default route for internet through MX firewall.
Would like to clarify, the connection mode between MX to downstream.
1. Can I have trunk link between MX to Core for guest vlan and Access link (transit vlan) between MX to L3 transit switch for L3 connectivity default route to MX for internet?
2. Else should I keep MS core switch as gateway for Guest Wifi and have L3 (transit vlan) link between both Core switch to MX and transit switch to MX?
What is the recommended setup.
Thanks,
Solved! Go to Solution.
My recommendation would be to keep the guest gateway on the Meraki core switch for the mentioned reasons.
The Meraki core switch can provide DHCP to the guests, if you are using Meraki wifi too I would look at the following article and use the NAT mode DHCP available on the access points.
https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/NAT_Mode_with_Meraki_DHCP
Are you asking whether the gateway for guests should be on the MX or the core switch?
I have seen both, you can argue the case for either without really having anything to worry about.
Personal preference would be to have a gateway on the core switch to avoid layer 2 broadcast traffic from guest users making it up to the MX. Essentially reducing the load on that device. Also keeping the gateway on the switch makes the setup somewhat cleaner.
On a side note, what value is the internal firewall offering? It looks to just complicate the setup. Can you not push all traffic through the MX and filter there as appropriate?
Hi @Tadpole86 ,
Thanks for your response.
Are you asking whether the gateway for guests should be on the MX or the core switch?
Yes, which one is recommended. To keep gateway in MX or in Core switch. Hope got an idea from your reply, to reduce load on MX, prefer to keep the gateway on MS core.
Can MS Core switch be configured to provide DHCP IP for Guest Vlans? or it should be on MX?
The internal firewall is due to business requirement. MX will primarily serve for internet traffic and internet load balancing.
My recommendation would be to keep the guest gateway on the Meraki core switch for the mentioned reasons.
The Meraki core switch can provide DHCP to the guests, if you are using Meraki wifi too I would look at the following article and use the NAT mode DHCP available on the access points.
https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/NAT_Mode_with_Meraki_DHCP
Thanks @Tadpole86 will look into the document. In my setup, all switches and AP are Meraki.