Newbie - Topology question

SOLVED
Philip
Here to help

Newbie - Topology question

I got one Meraki MX100 as firewall , Meraki MX425 and 6 Cisco 2960X switches.  I got 6 Cisco 2960X as client switches and connected to a Cisco 2960X switch as a core switch.  The 1st and 2nd Cisco 2960X client switches needs to use the public IP addresses, the other four client switches use internal IP address 192.168.x.x.   Any suggest configurations on the MX100 and MX425 could achieve this goal?  Thanks!

 

ISP Router
   |
MX 100
   |
MX 425
   |
Cisco 2960X (core switch)
           |-----Cisco 2960X  ( use public IP address)
            |---Cisco 2960X  ( use public IP address)
            |---Cisco 2960X
            |---Cisco 2960X
            |---Cisco 2960X
            |---Cisco 2960X

1 ACCEPTED SOLUTION
Fady
Meraki Employee
Meraki Employee

Hi @Philip

 

The best way to have public IP behind the MX100 is to perform 1:1 NAT --> (Double NAT-ting) so the LAN and Public IP should be the same on the NAT rule so when the traffic leaves the MX it will have the same public IP to the ISP. You need to make sure the public IP is route-able via the internet.

 

https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_M...

 

Please make sure to allow the remote IPs to allow the incoming traffic if you need these public IPs to be reachable from the internet.

View solution in original post

7 REPLIES 7
AjitKumar
Head in the Cloud

Hi Philip

MX 100 is a Security Appliance (Firewall/UTM).

 

MS 425 is a L3 Switch (Top end offer from Meraki with various Features. Ideally for Distribution).

 

There is no MX425 product I am aware of.

 

2 x 2960 for core and other 4 x 2960 for Access. This seems fine. 

 

Why do we need public ip for core switches?

What shall be the role of MS425?

Where will you define VLANs? Core Probably.

Who will be the gateway?

 

I may have many more such crazy questions. 

Ideally one should need to define the roles of each device and shall design the network accordingly.

 

Well this is my understanding with the limited knowledge I got. Certainly there are many community members to assist you with there exceptional experience.

 

 

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network

AjitKumar:

 

  Thanks for your reply!  It was my typo.  It should be the L3 switch MS425.

 

Why do we need public ip for core switches?  Because I have a client need to access some application through the true public static IP  MS425.  NAT is not a solution.

What shall be the role of MS425?  It should be the L3 distribution switch MS425.

Where will you define VLANs? Core Probably.  Probably the L3 MS425 switch.

Who will be the gateway?  I think the Firewall is the default gateway.

 

Please ask me some more crazy questions.  It helps me to make it working.  Thanks a lot!

Actually, I replaced a Cisco ASA 5505 with the Meraki MX100 and added a Meraki MS425-16.  I want to allow one client workstation to use public IP and limit this client to use Internet bandwidth at 5Mbps only.   

Meraki.jpg 

 

 

AjitKumar
Head in the Cloud

Hi Philip

Glad to see the Network diagram. This gives a better clarity. Thank you for sharing.

 

I believe NAT shall be the option to expose any service/application to public. Bandwidth control shall not be the problem as this can be defined in a policy and you may apply the same on the  selected device.

 

If you are seriously looking forward to assign a public ip to the device. I understand "No NAT" feature is available with latest firmware. I have not implemented this. I shall request @PhilipDAth to suggest the configuration as per your topology.

 

Lets wait for his comments.

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network

You wont be able to put a public IP directly on a client and have them behind the MX.  If the application wont work through NAT then you are short of options.

 

Potentially you could look at plugging the client directly into the ISP router.

Fady
Meraki Employee
Meraki Employee

Hi @Philip

 

The best way to have public IP behind the MX100 is to perform 1:1 NAT --> (Double NAT-ting) so the LAN and Public IP should be the same on the NAT rule so when the traffic leaves the MX it will have the same public IP to the ISP. You need to make sure the public IP is route-able via the internet.

 

https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_M...

 

Please make sure to allow the remote IPs to allow the incoming traffic if you need these public IPs to be reachable from the internet.

PhilipDAth
Kind of a big deal
Kind of a big deal

You won't be able to put a public IP address directly on the 2960-X's, but you could NAT through to them.

 

But as @AjitKumar say, I'm not sure why you would want to put a public IP address on them.  If you want to provide remote access you could just use client VPN to the MX.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels