Meraki

Community

Topology suggestions with Meraki MX an MS switches. AMP, ransomware, malware, routing

Solved
Jacob1701
Here to help
‎May 17 2023 4:59 AM
‎May 17 2023 4:59 AM

Topology suggestions with Meraki MX an MS switches. AMP, ransomware, malware, routing

Hello

Just want to see some thoughts and ideas.  So our network consists on  MX84, 3 MS120-48LP switches and 6 MR36 AP's.  

Management prefers to have a daisy-chain type topology where it goes from MX->MS1->MS2->MS3 and of course each switch is connected to a certain amount of nodes each.  His way of thinking is that the MX is not a true router but a firewall so he doesnt want all of the switches connected directly to the MX to route everything including internally.

 

What I prefer is for each MS to be connected to the MX directly through the front ports.  This way even if the data is only staying internal from node to node, it is being router by the MX where the data can also be protected by AMP and get rids of a single point of failure in a switch.  I am sure the MX84 has enough power to effectively do all the routing for the switches and AP's.  The AP's would be connected to any switch in both scenarios.

 

It is my understanding that AMP does not work in between switches so if one pc//node got infected with malware or ransomware so if each switch was directly connected to the MX, it can hopefully be stopped at the MX and not spread to the other switches and other network devices.

 

It is correct that AMP does not work between switches right?  only through the MX right?

 

There are about a total of 300 PC's, printers and IP phones in this location.

If the switches were daisy-chained, you would be wasting the 9 or so MX front ports.

 

What do you all think so I can try to get him to switch to my way, if it secures the whole network better by AMP.

 

Thanks

@AMP

 

@Security 

@NetDesign 

 

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 17 2023 1:23 PM
‎May 17 2023 1:23 PM

IPS runs between VLAN interfaces (and in and out of WAN).

AMP only runs for traffic going in and out of WAN ports.

 

I would recommend nominating a switch to a core switch.  Plug the MX into the core switch, and all other switches directly into the core switch.  I would not recommend using daisy chaining.

View solution in original post

17 Replies 17
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 17 2023 5:17 AM
‎May 17 2023 5:17 AM

There is the recommended topologies.

 

 

https://documentation.meraki.com/Architectures_and_Best_Practices/Recommended_Topologies/MX_and_MS_B...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
Jacob1701
Here to help
‎May 17 2023 5:40 AM
‎May 17 2023 5:40 AM

That would be great but we cannot get a Layer 3 switch!  We only have MS120's

0 Kudos
In response to Jacob1701
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 17 2023 6:55 AM
‎May 17 2023 6:55 AM

In fact, what you said doesn't make much sense, if the switch is connected directly to the MX or not, the operation will be the same, the difference is that you will have fewer jumps if you connect directly to the MX.
 
Connecting the switch directly to the MX will also not make the network more protected or less protected.
 
My suggestion is that you use VLANs for network segmentation. Because that way you will be isolating the Broadcast domains not to mention that you can work with different network policies for each of the VLANs.
 
But remember that security is far beyond the firewall, there are several mechanisms to protect the network that are not much more effective than the firewall itself, just think about it ok?
 
Topology speaking your network is very simple so it should work fine for you.
 
As for the issue of limitations regarding the MX84, in fact what may be the limiting factor is the number of clients on the network, as there is a maximum number of clients supported.
 
alemabrahao_0-1684331702357.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Jacob1701
Here to help
‎May 17 2023 4:46 PM
‎May 17 2023 4:46 PM

You are correct.  I did not explain my question very well.  All PC's will be VLAN 1 and all IP phones vlan 200. Daisy-chaining would not use AMP staying within the Layer 2 range correct?

I know it will communicating with external clients but does 3 switches put too much processing power on the MX if the switches are connected directly?

I did not realize the max clients of an MX 84 but it seems to be ok.

0 Kudos
CptnCrnch
Kind of a big deal
Kind of a big deal
‎May 17 2023 5:51 AM
‎May 17 2023 5:51 AM

The MX84 comes into play where it's in-between the endpoints from an IP-side of things, not where switches etc. are physically connected to.

 

E.g. the MX84 will never see traffic that's going from client 192.168.1.4 to 192.168.1.5 if they're within the same subnet (like 192.168.1.0/24).

 

In a nutshell, this mostly depends on your IP layer design, not the physical setup. You've provided only the latter so far. 😇

0 Kudos
In response to CptnCrnch
Jacob1701
Here to help
‎May 17 2023 4:40 PM
‎May 17 2023 4:40 PM

YOur right.  We are only using 2 Vlans, Vlan 1 for everyone and Vlan 200 for voice.  Yes, going from 1.4 to .5 would stay within the switch (layer 2 MAC) so it does not need to go to the MX being in the same Vlan and talking via layer 2.  So if PC1 downloaded malware, the MX and AMP would never see it to do anything about it correct?

 

It is a simpled setup and so my main concerns is will AMP help any if data is staying within the same subnet via a layer 2 switch and if we just connected all switches directly to the MX, the data will still need to travel through the MX even it is in the same subnet then AMP could possibly do some help correct?

I did make my question too long for a  simple answer.  

Does connecting switches directly to the MX use alot of processing power for the routing and AMP as opposed to daisy-chaining which prevents the MX from doing more processing but AMP does nothinbg in the same subnet/vlan.  SO basically everything is in the same subnet.

0 Kudos
cmr
Kind of a big deal
Kind of a big deal
‎May 17 2023 6:57 AM
‎May 17 2023 6:57 AM

I would pick one MS120 as a 'core' and connect the other switches to that, use the SFP ports.  Then connect that MS120 to the MX84.  Ideally have a pair of MS210s or better as the 'core'.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 17 2023 7:01 AM
‎May 17 2023 7:01 AM

It does not have L3 function.

 

alemabrahao_0-1684332077596.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
cmr
Kind of a big deal
Kind of a big deal
‎May 17 2023 9:52 AM
‎May 17 2023 9:52 AM

It does do L3 routing (up to 16 interfaces), but does not act as a DHCP server.  However @Jacob1701 said that they have MS120s, so for the design I suggested, it is the cheapest upgrade.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 17 2023 9:57 AM
‎May 17 2023 9:57 AM

I'm sorry @cmr, I believe you are confusing with MS210, the MS120 is only L2 does not have L3 functionality.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
cmr
Kind of a big deal
Kind of a big deal
‎May 17 2023 10:15 AM
‎May 17 2023 10:15 AM

No worries, I think we are confusing each other!  I meant that L3 applies to this comment:

 

Ideally have a pair of MS210s or better as the 'core'.

 

😊

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
Jacob1701
Here to help
‎May 17 2023 4:47 PM
‎May 17 2023 4:47 PM

Can you talk my boss into get my location a 210?  haha

0 Kudos
In response to cmr
Jacob1701
Here to help
‎May 17 2023 4:42 PM
‎May 17 2023 4:42 PM

I would love a layer 3 switch but if I use one MS120 as a core, it wouldtake a way the single point of failure but AMP would still not do anything if the data does not go past the core to the MX right?

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 17 2023 1:23 PM
‎May 17 2023 1:23 PM

IPS runs between VLAN interfaces (and in and out of WAN).

AMP only runs for traffic going in and out of WAN ports.

 

I would recommend nominating a switch to a core switch.  Plug the MX into the core switch, and all other switches directly into the core switch.  I would not recommend using daisy chaining.

In response to PhilipDAth
Jacob1701
Here to help
‎May 17 2023 4:50 PM
‎May 17 2023 4:50 PM

Thanks alot.  I did totally forget to put IPS into the equation.  But since everything will be in one Vlan, does that mean IPS will not help either staying in Layer 2?

 

0 Kudos
In response to Jacob1701
CptnCrnch
Kind of a big deal
Kind of a big deal
‎May 18 2023 8:22 AM
‎May 18 2023 8:22 AM

Exactly this is what @PhilipDAth and I wanted to tell you. 😉

In response to CptnCrnch
Jacob1701
Here to help
‎May 18 2023 4:08 PM
‎May 18 2023 4:08 PM

OK, so it sounds like a compromise (Office US).  I get some protection internally to stop any potential malware going through the internal network dur to IPS and thee manager gets some of what he wants that is not letting the MX do all of the work!  So I will go this route.  thanks alot.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.