Meraki Campus Design with two tier Firewall

SOLVED
Prithiviraj
Here to help

Meraki Campus Design with two tier Firewall

Hi All,

I'm planning to setup a Meraki campus using two tier firewall for a branch office, would be happy to get some ideas, if Meraki MX platform can support, what I am planning to do.

 

1. MX as external internet firewall (NAT mode)

2. Cisco platform as internal firewall

3. MS 410 as L3 transit switch with MPLS link to access internal LAN through Cisco firewall from other branch & DC.

4. MS 410 as Core/Aggregation switch.

5. MS 120 as Edge switches.

 

The design is not a HA setup,

MX will be gateway for Guest WiFi network.Cisco Firewall will be gateway for Inside LAN network.

 

Guest Wifi Vlan will by-pass internal Firewall and go directly to MX for internet access.

All Inside LAN traffic will go through Cisco internal firewall for inter-vlan routing and pass through L3 transit switch for internet access. L3 MS 410 transit switch will have default route for internet through MX firewall.

 

Would like to clarify, the connection mode between MX to downstream.

1. Can I have trunk link between MX to Core for guest vlan and Access link (transit vlan) between MX to L3 transit switch for L3 connectivity default route to MX for internet?

2. Else should I keep MS core switch as gateway for Guest Wifi and have L3 (transit vlan) link between both Core switch to MX and transit switch to MX? 

What is the recommended setup.

 

Meraki 2 tier firewall design.jpg

Thanks,

1 ACCEPTED SOLUTION

My recommendation would be to keep the guest gateway on the Meraki core switch for the mentioned reasons. 

 

The Meraki core switch can provide DHCP to the guests, if you are using Meraki wifi too I would look at the following article and use the NAT mode DHCP available on the access points. 

 

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/NAT_Mode_with_Meraki_DHCP

 

 

 

 

 

View solution in original post

4 REPLIES 4
Tadpole86
Getting noticed

Are you asking whether the gateway for guests should be on the MX or the core switch? 

 

I have seen both, you can argue the case for either without really having anything to worry about. 

 

Personal preference would be to have a gateway on the core switch to avoid layer 2 broadcast traffic from guest users making it up to the MX. Essentially reducing the load on that device. Also keeping the gateway on the switch makes the setup somewhat cleaner. 

 

 

 

On a side note, what value is the internal firewall offering? It looks to just complicate the setup. Can you not push all traffic through the MX and filter there as appropriate?

 

 

Hi @Tadpole86 ,

 

Thanks for your response. 

 

Are you asking whether the gateway for guests should be on the MX or the core switch?

Yes, which one is recommended. To keep gateway in MX or in Core switch. Hope got an idea from your reply, to reduce load on MX, prefer to keep the gateway on MS core. 

Can MS Core switch be configured to provide DHCP IP for Guest Vlans? or it should be on MX? 

 

The internal firewall is due to business requirement. MX will primarily serve for internet traffic and internet load balancing. 

 

My recommendation would be to keep the guest gateway on the Meraki core switch for the mentioned reasons. 

 

The Meraki core switch can provide DHCP to the guests, if you are using Meraki wifi too I would look at the following article and use the NAT mode DHCP available on the access points. 

 

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/NAT_Mode_with_Meraki_DHCP

 

 

 

 

 

Thanks @Tadpole86  will look into the document. In my setup, all switches and AP are Meraki. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels