Meraki

Community

Running Private and Public Networks Side-by-Side

Brash
Kind of a big deal
Kind of a big deal
Monday
Monday

Running Private and Public Networks Side-by-Side

I've got a bit of a weird design challenge that I figured I'd get some other's opinions and also ask some clarifications.

 

I'm Managing a network of ~30 sites all corporate networks.

All of these sites connect back to the DC using a Hub/Spoke model.

 

7 of these sites now need to have a side-by-side public network for some public access services.

These also need to connect back to a server that manages and maintains these public services.

 

I've proposed the following design.

 

Blank diagram.png

 

The public MX's would be in separate networks and create a separate hub-spoke AutoVPN to the corporate.

Whilst the switch is logically in the corporate network, it will have both public and private traffic separated by VLANs.

The VLAN gateways are on the respective MX's

 

 

A couple of things to note here:

  • Security and separation of public and private networks is the primary concern
    • Eg. Technically these networks can be converged to a single MX and AutoVPN, but a single fat fingering of a firewall rule can bring it all crumbling down
  • Money isn't a big concern - Having two MX's with licenses for each of these 7 sites is fine from a financial perspective
  • The corporate MX's have Umbrella integration with SIG Tunnels - The separation as above prevents public traffic from having corporate Umbrella policies applied

 

My main question is:

  • If I'm not mistaken, the public hub will create a tunnel with the private hub. I've heard there is a way to disable this in the backend. 
    • Has anyone had experience with this?
0 Kudos
5 Replies 5
RaphaelL
Kind of a big deal
Kind of a big deal
yesterday
yesterday

This is our current setup minus the AutoVPN on the "public" MX. Which is also a recommended setup in this doc : https://documentation.meraki.com/MX/Monitoring_and_Reporting/Device_Utilization

 

My main question is:

  • If I'm not mistaken, the public hub will create a tunnel with the private hub. I've heard there is a way to disable this in the backend. 
    • Has anyone had experience with this?

 

You have to disable Meshing Hub-To-Hub via a backend option

In response to RaphaelL
Brash
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Ah I forgot about that doc.

Cool. I'm not a huge fan of hidden backend configurations but it's good that the option is there.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

>If I'm not mistaken, the public hub will create a tunnel with the private hub.

 

I would take this a step further, and create a public org for the public services.

Then there is no-chance of a fat-fingering AutoVPN connection between them by accident.  It also makes it easier to seperate admin access, if that becomes a requirement.

In response to PhilipDAth
Brash
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Good point!
I had thought about this but wasn't sure if it was worth the extra management overhead for patching and licensing.

That said, it is definitely cleaner from an AutoVPN point of view. Additional admin access isn't currently a requirement, but I can see a few ways in which that may shift in the coming year or so.

 

I'll mull it over a bit more, but I think this might be the way to go. 👍

In response to Brash
RaphaelL
Kind of a big deal
Kind of a big deal
yesterday
yesterday

I forgot to mention this , but this is also what are doing. 2 seperate orgs. Works fine ! 

 

Couple of things to "consider" , like DAI will not report the other MX name , only the MAC , minor stuff like that

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.