Meraki MX in passthrough mode behind Comcast SDWAN

Solved
DB2
New here

Meraki MX in passthrough mode behind Comcast SDWAN

So we recently signed on with Comcast SD WAN because the cost was minimal in addition to our other services.

I am going to transition off of the Meraki VPNs and use the Comcast VPNs as a few of our sites are in their footprint and then will use their backend for faster routing than going through the internet.

The comcast setup has a routing device that has a handoff with a local ip. We will say 172.16.16.1 is the comcast device and 172.16.16.2 is my MX device. Now I have moved all the VLANS and routing to downstream switches. The comcast edge device does not provide IPS and content filtering so I will continue using the MX's for that in "Passthrough" mode.

I won't be using the Meraki VPN functionality. I would then have Comcast->Firewall->Meraki Switch. Would I then want an interface on the switch in the 172.16.16.0 subnet and use the Comcast device .1 as the switch gateway? Do I need the Comcast routes to then point at my switch and not my firewall? Since I am using the Comcast VPNs the traffic can't be Nat'd (which is why I am configuring passthrough) I don't want to use it as a VPN concentrator or dont see a reason to. If I can't use static routes on the passthrough MX then how does the MX know what traffic from my other sites coming from comcast to pass to my switch? Which is why I am asking..do I need the switch to be the gateway for this traffic from comcast?

EG:

Location 1:

Comcast Edge device has local IP of 172.16.16.1

MX Passthrough Device has local IP of 172.16.16.2

Switch has an interface for this 10.10.0.0/24 network, does it also need to be on the 172 to communicate then with the MX Passthrough device, does it use the MX IP as a gateway or the Comcast Edge device as a gateway?

 

Location 2:

 

Comcast Edge device has local IP of 172.16.32.1

MX Passthrough device has local IP of 172.16.32.2

Switch has 10.10.1.0/24 interface 

 

Comcast has the 10.10.0.0/24 traffic route with a route pointing to 172.16.16.2

Comcast has the 10.10.1.0/24 traffic route with a route pointing to 172.16.32.2

 

 

1 Accepted Solution
cmr
Kind of a big deal
Kind of a big deal

If the MX is in passthru mode then it doesn't take part in routing at all.  The Comcast device should have a route for the local 10 network pointing to a L3 interface on the switch in the 172 subnet.  The switch should have a default gateway of the Comcast device's 172 address.

If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

3 Replies 3
cmr
Kind of a big deal
Kind of a big deal

If the MX is in passthru mode then it doesn't take part in routing at all.  The Comcast device should have a route for the local 10 network pointing to a L3 interface on the switch in the 172 subnet.  The switch should have a default gateway of the Comcast device's 172 address.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
DB2
New here

Thank you. I thought as much with my limited understanding.

I still do need the firewall in the middle in order to do Layer3/7 rules along with IPS and traffic shaping etc though correct?

cmr
Kind of a big deal
Kind of a big deal

@DB2 yes that is correct, please see here: Passthrough Mode on the MX Security Appliance and Z-series Teleworker Gateway - Cisco Meraki

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels