Putting an MX behind an MX

HydroNick
Conversationalist

Putting an MX behind an MX

I've been tasked to prepare an MX250 to provide "WAN" access to an MX64, and this has me wondering, will it work? I'm not a network expert but I know the basics and manage a handful of networks, so any input or corrections would be greatly appreciated.

 

Essentially the team that owns the MX64 would like to use our internet connection, MS, and MR devices to support their team while they work within our site. So far I've taken the below steps:

 

  • Created a separate VLAN we intend to use between the two MX's to supply them a WAN connection. The external team has set the MX64 WAN port to DHCP and will plug into a port on our MX250 set to that dedicated VLAN.
  • Created a new SSID dedicated to this team. We intend to use VLAN tagging on this to keep them separate from our clients.

Walking through this setup has me asking a few questions that I'm trying to get answered before we try this out:

  1. Would their client devices be able to use our MRs if we plugged their MX64 LAN port into one of our MS ports? I assume we would set the only allowed VLAN on that trunk port to whatever VLAN they decided to setup on their MX64 for clients.
  2. Do I need to create the same VLAN on our MX250 to make firewall rules? They will be creating the VLAN on their MX64 to handle DHCP for their clients, but I can't seem to make a rule referencing a VLAN not present on our device.
  3. Will they be able to set up their own site-to-site VPN on their MX64? I don't see why not, but I could see Meraki not liking that.

Once we know what VLAN they will be using for clients we plan to make firewall rules to deny any traffic between their network and ours.

 

If anyone has experience with this type of setup I'd love to hear what other steps were taken for security purposes, or overall quality for both networks to coexist.

4 Replies 4
RaphaelL
Kind of a big deal
Kind of a big deal

Yes that will work. 

 

Weird design though.

Both MX can't be in the same Network. All the clients behind the MX64 will be nated to the MX64 WAN IP ( which is going to be configured on some vlan on your MX250 )

Brash
Kind of a big deal
Kind of a big deal

That's a very weird setup but like @RaphaelL said, it will work although the MX's need to be in different networks.


As for your questions:

 

  1. Would their client devices be able to use our MRs if we plugged their MX64 LAN port into one of our MS ports? I assume we would set the only allowed VLAN on that trunk port to whatever VLAN they decided to setup on their MX64 for clients.

    Yes, separate SSID with separate VLAN that trunks only to the MX64
  2. Do I need to create the same VLAN on our MX250 to make firewall rules? They will be creating the VLAN on their MX64 to handle DHCP for their clients, but I can't seem to make a rule referencing a VLAN not present on our device.

    No, your MX250 doesn't need to be 'aware' of the VLAN. Just configure it to the MX64.
    You will however need to make firewall rules that prevent the network traffic coming from their MX64 WAN port into the MX250 LAN port going to your network.
  3. Will they be able to set up their own site-to-site VPN on their MX64? I don't see why not, but I could see Meraki not liking that.

    I've never tried it but I don't see why not. Other threads I've seen in the community and reddit seem to indicate people have tried this and it's worked.

 

HydroNick
Conversationalist

@RaphaelLand @Brash I appreciate the replies! I agree, this is a strange setup that I can't say I'm a fan of, but need to give it a try!

 

We do have firewall rules in place to deny traffic from their WAN port into our network. Wouldn't we also want rules to deny traffic from the VLAN created on their MX64 to prevent their clients from accessing our resources, or would placing their clients on that VLAN be effective enough? Since this is an external company we are trying to ensure we have this set up securely, we have no clue what sort of traffic they may have on their network.

Brash
Kind of a big deal
Kind of a big deal

If the client vlan isn't trunked up to your mx250, there's no way for their clients to route into your network (other than the mx64 WAN port which you already mentioned will have firewall rules).

 

That said, if you're concerned about it, you can add the rules for the client vlan in your MX250 anyway, it's not going to hurt anything.

Get notified when there are additional replies to this discussion.