Meraki

Community

Comcast EDI and IPS Appliance Traffic

KRobert
Head in the Cloud
‎Mar 9 2020 5:48 AM
‎Mar 9 2020 5:48 AM

Comcast EDI and IPS Appliance Traffic

I am having an issue the is related to an issue that @BrechtSchamp solved about a year ago. This has some added complexity to it though. 
https://community.meraki.com/t5/Switching/Meraki-and-Comcast-EDI/m-p/36808

We have a Comcast EDI connection where Comcast provides a non-routable "WAN" /30 network and a routable public "LAN" /27 network. They are doing this to save more IP addresses. See the community post I linked above for details,I have setup my MS250-48 the same way, but I have and IPS appliance that my data passes through that is causing the DNS to fail. During this time, though ICMP pings and access via IP address is successful.

 

Capture.PNG

 

 

Because DNS is failing, I cannot get to the URL of my sites and my Meraki MX250 Firewall is showing the WAN status is in a "failed state."

 

My physical routing is as follows (All switchports are access ports)

Comcast ISP - switchport 1 on VLAN 2000

MS250 L3 Interface VLAN 2000 -This allows access to the /30 Comcast provided.

MS250 L3 Interface VLAN 2002 - This allows access to the /27 Comcast provided. 

IPS Appliance Ext Interface - switchport 2 on VLAN 2002 - This allows the IPS to be inline with the /27 ISP connection.

IPS Appliance Int Interface - switchport 3 on VLAN 2004 - This is a different VLAN so that my MX firewall traffic is forced through the IPS appliance.

MX250 Firewall WAN 1 - switchport 4 on VLAN 2004. 

 

Capture1.PNG

 

The really strange part is that when I run a packet capture on switchport 1, during the entire time of the packet capture, DNS begins to work, but when the capture finishes, it stops again.

 

I contacted support and they stated that because I am using the IPS to go from VLAN 2004 to 2002, that routing isn't possible, but I wanted to reach out to the community since routing is working, just not DNS...except when I run a packet capture. 

 

 

 

CMNO, CCNA R+S
0 Kudos
3 Replies 3
ww
Kind of a big deal
Kind of a big deal
‎Mar 9 2020 6:09 AM
‎Mar 9 2020 6:09 AM

Does it work without v2004? so when you connect MX --IPS--MS250/v2002?

0 Kudos
In response to ww
KRobert
Head in the Cloud
‎Mar 9 2020 6:27 AM
‎Mar 9 2020 6:27 AM

Yes. However if I do that, it will bypass the IPS.

CMNO, CCNA R+S
0 Kudos
Brons2
Building a reputation
‎Mar 11 2020 1:37 PM
‎Mar 11 2020 1:37 PM

I have a /30 WAN connection network, and a /24 public IP space for use at my/our discretion.  The /24 sits behind the /30.  The upstream provider router is set such that the /24 is reachable through my side of the /30.    Is it possible Comcast is assuming this for your setup as well?

 

Caveat(s):  I don't have Comcast, and I don't know much about them.  We use AT&T ADE, which is a straight L2 point to point metro Ethernet circuit.  Our internet provider is the telecommunications department of our overall organization and not AT&T.

 

But anyway 

 

(there are other trunks on my circuits, and a redundant circuit to a 2nd location, but that's beyond the scope of this discussion)

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.