Meraki Community

Sladie · ‎Oct 13 2018

Hi,

I'm setting up a new office with approx 40 users. The FW will be an MX64, LAN switching will be HP stacked switches. There will be 4 VLANs, Management, Data, Voice and Guest WiFi. VLAN management will be done via the HP core layer 3 switches. There will be 2 MR APs for WiFi. WAN connectivity will be DSL using PPPoE with the BT smart hub in bridge mode. I will need to setup a site to site VPN to our core network at a hosted DC which will terminate on a Cisco ASA router. All corporate networking services will be delivered via the VPN e.g. DHCP, DNS, AD, internet access, etc. All guest WiFi traffic will be routed directly out to the internet. I've experience of setting up HP switching, MR APs but not on using an MX as the firewall. Our other sites are connected via a VPLS network using managed Juniper routers.

This is a temporary office so will be setup a bit differently to our other permanent sites. My thoughts are:

1. Disable VLANs on the MX.

2. Set the default route from the HP core switch to the MX IP.

3. Set static routes on the MX to VLANs.

Any help/advice appreciated.

Thanks,

Paul.

PhilipDAth · ‎Oct 13 2018

Yes, those steps will all work.

The MX64 will give you around 250Mb/s of inter-vlan routing. It sounds to be like your inter-vlan routing requirements are very light. In fact, it seems quite likely your vlans may not talk to each other at all in the normal course of business.

So if it was me, I would do all the layer 3 processing on the MX64. This makes your layer 3 configuration simpler.

This will also give you much richer information in the Meraki dashboard about what all your devices are doing.

You'll just build a normal non-meraki VPN to the ASA. Don't use DES or 3DES. They have terrible throughput on MX - but seriously, no one should be using these legacy crypto protocols anymore.

Note that Internet access should be delivered through the MX's Internet connection. Avoid doing a full tunnel configuration to the ASA. That will make your life much harder. Avoid that. You can still use the DC's AD/DNS/DHCP/etc.

Sladie · ‎Oct 14 2018

Thanks, useful info. DLS speeds are low in this area and it wasn't worth putting in VPLS connectivity so I"d agree with you about moving Layer 3 to the MX. Any useful info on setting up MX layer 3 using HP distribution switches would be appreciated. Chances are given the low speeds available I'll just route wired/wireless corporate traffic as VoIP is unlikely to work and guest can routed via another DLS circuit.

PhilipDAth · ‎Oct 14 2018

This is a walkthrough on configuring layer 3 VLANs on the MX.

https://documentation.meraki.com/MX/Networks_and_Routing/Configuring_VLANs_on_the_MX_Security_Applia...

Sladie · ‎Oct 17 2018

Thanks. This shows VLAN setup on the MX but doesn't relate to how this would work when using HP Procurve switches to connect to the MX. I think the issues are around naming conventions e.g. native vlan exists in the Cisco world but not HP world. Any help on setting up HP VLANs and tagging to work with the Meraki would be appreciated.

Uberseehandel · ‎Oct 14 2018

Bridge mode is anathema to the BT Hub.

Quite honestly, I'd ditch the BT Hub and use one of Draytek's modem/routers. for all sorts of reasons, including access to LTE, ability to handle IPv6 in all its flavours, BT Infinity aware support and a supported migration path from pseudo IPv6 to the real thing.

Robin St.Clair | Principal, Caithness Analytics |

@uberseehandel

Meraki Community

Setting Up A New Office Network Using MX64

Setting Up A New Office Network Using MX64