Meraki

Community

Meraki networks and grouping/segmentation of edge firewall, L3 switch, and concentrator

MerkiWaters
Here to help
Thursday
Thursday

Meraki networks and grouping/segmentation of edge firewall, L3 switch, and concentrator

In our datacenter, we have these devices:

 

MX250 HA pair - Edge firewall and Cisco Secure/AnyConnect VPN.  Also hosts a DMZ vlan, and management vlan.

MS350 stack - L3 for all other subnets in the datacenter

MX250 pair - one-arm concentrator SD-WAN hub

 

The MX250's are connected to the MS350, both wan and lan for the edge firewall and WAN for the one-arm concentrator

 

In terms of Meraki networks:

Edge firewall is in its own network.  Client tracking options are Mac or IP.  Neither are fully appropriate.

L3 switch and concetrator are grouped in another network.  Client tracking options are Mac, IP, Unique Identifier.

 

I could describe the problems I'm having with client tracking and traffic issues, but from the description above, can anyone comment on if these devices are grouped properly and best choices for client tracking?

 

Thanks!

 

0 Kudos
4 Replies 4
Mloraditch
Kind of a big deal
Kind of a big deal
Thursday
Thursday

I would  have your edge firewall and switches in one network and the concentrator by itself. The Edge Firewall and Switches can then use unique identifier tracking. 


Your concentrator would then track by IP address in it's network.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
RWelch
Kind of a big deal
Kind of a big deal
Thursday
Thursday

If this were my project, I'd be inclined to have the both MX250s in HA and MS350 stack in one combined network.  

 

If the MS350 stack is using L3, you'd use unique identifier.  

If you keep it at L2 then use MAC address — Default.

Separately, I'd put the other MX250s (pair) in their own separate networks as an example
MX250-VPN-A (it's own network - same organization)
MX250-VPN-B (it's own network - same organization)

You would then use "Track clients by IP address" for client tracking, and its deployment mode is "passthrough" (VPN concentrator mode).  This is the correct client tracking option for a standalone MX in VPN concentrator mode, as tracking by IP address is recommended when the MX is not the layer 3 gateway for clients.
 
If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
Thursday
Thursday

I would track by IP address for the edge firewall.

I would track by unique client identifier for the L3 switch and concentrator network.

0 Kudos
In response to PhilipDAth
MerkiWaters
Here to help
Thursday
Thursday

Thanks for the reply!  That is the current set up, although it wasn't always that way (was track by IP in the concentrator + switch network).  I don't know when this issue began, but I am seeing clients from a remote site (MX250 pair as an SD-WAN spoke) appear as clients in the edge network.  Also, I'm seeing Cisco Secure clients that connect to the edge firewall's VPN show as clients at the remote site.  I haven't been able to identify any misconfigurations in static routing, VPN-enabled networks, or DHCP to explain this.  Additionally, the Cisco Secure client IP's are being reported in the Event Logs of the remote site - logs show Source IP/Vlan Mismatch.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.