Meraki

Community

Best Practices for Securing and Connecting a Meraki Switch (MS-130-8) as a WAN Breakout Switch

Solved
Nigel_MC
Here to help
‎Jan 23 2025 11:42 PM
‎Jan 23 2025 11:42 PM

Best Practices for Securing and Connecting a Meraki Switch (MS-130-8) as a WAN Breakout Switch

Hi everyone,

I’m looking for advice on the best way to connect and secure an MS-130-8 WAN switch in our network. The network diagram is attached at the bottom of the post.

Network Overview

  • MS-130-8 Role: The switch serves as a WAN breakout switch, distributing internet connectivity between the corporate and guest networks.
  • Internet Lines:
    • Internet A: Dedicated for the corporate network.
    • Internet B: Serves as a backup for corporate traffic and primary for guest internet.
  • Firewalls:
    • Corporate Firewalls:
      • Primary Firewall: Connected to Internet A.
      • Backup Firewall: Connected to Internet B.
    • Guest Firewalls:
      • Primary and Backup Firewalls: Both connected to Internet B.
  • Current Connection:
    • The MS-130-8 is connected to the core switch (C9300-M), which aggregates traffic from the corporate and guest firewalls and routes it to downstream devices, including the access switch (MS225).


We aim to securely connect the MS-130-8 to the Meraki dashboard for management while adhering to best practices for security and reliability. Additionally, we would like to avoid assigning a public IP address to the MS-130-8 unless there is a compelling reason to do so.

Questions

  1. Secure Dashboard Connectivity:

    • What is the best way to securely connect the MS-130-8 to the Meraki dashboard without using a public IP address?

  2. Core Switch Connection:

    • Is it advisable to keep the MS-130-8 connected to the core switch, or should it be connected directly to the firewalls instead?

  3. Best Practice Configurations:

    • How should VLANs and firewall rules be configured to isolate management traffic while allowing dashboard communication (e.g., HTTPS on port 443)?
    • Should we use separate physical connections for management and WAN breakout traffic, or is a single trunk link with tagged VLANs sufficient?


We’d greatly appreciate any insights, recommendations, or references to Meraki best practices. Thanks in advance for your help!

Network Diagram

Nigel_MC_0-1737704520585.png

 

 

Labels:
0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 27 2025 11:39 AM
‎Jan 27 2025 11:39 AM

>What is the best way to securely connect the MS-130-8 to the Meraki dashboard without using a public IP address?

 

Personally, I'd give it a static public IP address and have no connection to the internal network.  I would also disable the local status page.

 

In addition to what others have mentioned, if the swtch can only connect to the Meraki cloud via an internal path that ultimately connects through itself, and you have a mis-configuration, you wont be able to fix it via the Meraki cloud as it will have cut its own in-direct access off.

If it can connect to the Meraki cloud directly then there is no risk of human error bringing everything down.

View solution in original post

5 Replies 5
rhbirkelund
Kind of a big deal
Kind of a big deal
‎Jan 24 2025 12:39 AM
‎Jan 24 2025 12:39 AM

I would pull the Meraki Manangement interface out as a single vlan on an Access port, to ensure you don't risk getting WAN traffic L2 broadcasted into your core.

 

Since Meraki also does Application Visibility stuff, I would also put the MS130 as a WAN switch in its own Meraki Network, thus not mixing it with the rest of your enterprise network. This allows you to patch your company switching layer irrespective of patching your WAN switch.

 

That being said, there's some discussion on whether to use a managed switch as a WAN switch compared to using an un-managed. Some prefer one over the other, with pros and cons.

 

For a managed switch:

   Pro: It's a managed switch.

   Con: You have to manage it.

 

For an unmanaged:

   Pro: You don't have to mange it.

   Con: It's unmanaged.

 

The WAN switch is only responsible for switching traffic. It shouldn't do any L3 forwarding, so is it really neccessary to use a managed switch?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
In response to rhbirkelund
KarstenI
Kind of a big deal
Kind of a big deal
‎Jan 24 2025 2:09 AM
‎Jan 24 2025 2:09 AM

There is a third option that I prefer: Use a managed non-Meraki WAN switch like the C1300-8. I always connect this device in a dedicated MX-DMZ to control what's allowed and what is not allowed.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
KarstenI
Kind of a big deal
Kind of a big deal
‎Jan 24 2025 2:16 AM
‎Jan 24 2025 2:16 AM

If you wonder why I want to have this device managed, it is mainly for monitoring/logging and, as a result of these, central authentication.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 27 2025 11:39 AM
‎Jan 27 2025 11:39 AM

>What is the best way to securely connect the MS-130-8 to the Meraki dashboard without using a public IP address?

 

Personally, I'd give it a static public IP address and have no connection to the internal network.  I would also disable the local status page.

 

In addition to what others have mentioned, if the swtch can only connect to the Meraki cloud via an internal path that ultimately connects through itself, and you have a mis-configuration, you wont be able to fix it via the Meraki cloud as it will have cut its own in-direct access off.

If it can connect to the Meraki cloud directly then there is no risk of human error bringing everything down.

Nigel_MC
Here to help
‎Jan 31 2025 12:32 AM
‎Jan 31 2025 12:32 AM

Hi @rhbirkelund, @KarstenI, and @PhilipDAth,


Thank you all for your valuable insights! I really appreciate the time you took to share your recommendations on how to best connect and secure the MS130-8. I wanted to share our planned approach based on your feedback.

Planned Changes for Securing the MS130-8

1️⃣ The MS130-8 remains a managed WAN switch (no changes in hardware).
2️⃣ Local Status Page will be disabled by default for security.
3️⃣ Emergency access to the Local Status Page will be restricted to a single port on a dedicated Management VLAN
4️⃣ Firewall rules will be put in place to restrict management access, blocking unauthorized traffic from other VLANs.
5️⃣ Meraki Dashboard connectivity is currently routed via the internal network, but we will first check if we have spare public IP addresses available before deciding whether to assign one.

 

Thanks again for your valuable input—I truly appreciate the expertise and best practices shared by the community!

0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.