Meraki

Nigel_MC

Hi everyone,

I’m looking for advice on the best way to connect and secure an MS-130-8 WAN switch in our network. The network diagram is attached at the bottom of the post.

Network Overview

MS-130-8 Role: The switch serves as a WAN breakout switch, distributing internet connectivity between the corporate and guest networks.
Internet Lines:
- Internet A: Dedicated for the corporate network.
- Internet B: Serves as a backup for corporate traffic and primary for guest internet.
Firewalls:
- Corporate Firewalls:
  - Primary Firewall: Connected to Internet A.
  - Backup Firewall: Connected to Internet B.
- Guest Firewalls:
  - Primary and Backup Firewalls: Both connected to Internet B.
Current Connection:
- The MS-130-8 is connected to the core switch (C9300-M), which aggregates traffic from the corporate and guest firewalls and routes it to downstream devices, including the access switch (MS225).

We aim to securely connect the MS-130-8 to the Meraki dashboard for management while adhering to best practices for security and reliability. Additionally, we would like to avoid assigning a public IP address to the MS-130-8 unless there is a compelling reason to do so.

Questions

Secure Dashboard Connectivity:
- What is the best way to securely connect the MS-130-8 to the Meraki dashboard without using a public IP address?
Core Switch Connection:
- Is it advisable to keep the MS-130-8 connected to the core switch, or should it be connected directly to the firewalls instead?
Best Practice Configurations:
- How should VLANs and firewall rules be configured to isolate management traffic while allowing dashboard communication (e.g., HTTPS on port 443)?
- Should we use separate physical connections for management and WAN breakout traffic, or is a single trunk link with tagged VLANs sufficient?

We’d greatly appreciate any insights, recommendations, or references to Meraki best practices. Thanks in advance for your help!

Network Diagram

rhbirkelund

I would pull the Meraki Manangement interface out as a single vlan on an Access port, to ensure you don't risk getting WAN traffic L2 broadcasted into your core.

Since Meraki also does Application Visibility stuff, I would also put the MS130 as a WAN switch in its own Meraki Network, thus not mixing it with the rest of your enterprise network. This allows you to patch your company switching layer irrespective of patching your WAN switch.

That being said, there's some discussion on whether to use a managed switch as a WAN switch compared to using an un-managed. Some prefer one over the other, with pros and cons.

For a managed switch:

Pro: It's a managed switch.

Con: You have to manage it.

For an unmanaged:

Pro: You don't have to mange it.

Con: It's unmanaged.

The WAN switch is only responsible for switching traffic. It shouldn't do any L3 forwarding, so is it really neccessary to use a managed switch?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

KarstenI

There is a third option that I prefer: Use a managed non-Meraki WAN switch like the C1300-8. I always connect this device in a dedicated MX-DMZ to control what's allowed and what is not allowed.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

KarstenI

If you wonder why I want to have this device managed, it is mainly for monitoring/logging and, as a result of these, central authentication.