Meraki

Community

Distribution switch management IP

Slobs2
Getting noticed
‎Jul 28 2020 4:32 PM
‎Jul 28 2020 4:32 PM

Distribution switch management IP

Hello all,  I have a question. I am using an MS220-8 as a distribution switch from my ISP to two MX250's in an HA pair. Should the management IP of this switch come from behind the MX or can a public IP be used instead. Is it secure/safe to do so? Thank you!

0 Kudos
5 Replies 5
DarrenOC
Kind of a big deal
Kind of a big deal
‎Jul 28 2020 10:32 PM
‎Jul 28 2020 10:32 PM

Hi @Slobs2 . No need for you to assign a Public IP to your distribution switch.  We always create or re-assign a new VLAN purely for Meraki device management.  

look at the last paragraph of the below document:

 

https://documentation.meraki.com/MS/Layer_3_Switching/MS_Layer_3_Switching_and_Routing#Notes_regardi...

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
In response to DarrenOC
Slobs2
Getting noticed
‎Aug 2 2020 1:38 PM
‎Aug 2 2020 1:38 PM

Hi @DarrenOC , I don't think I understand your response. This switch is between the ISP and the MX, so its outside of the LAN. There is no DHCP so a static address would be needed, that would need to be a public address. I'm curious about the security implications of having a switch management IP as a public IP not private.

0 Kudos
In response to Slobs2
MMA
New here
‎Sep 16 2021 8:51 AM
‎Sep 16 2021 8:51 AM

Bumping this up... we are now looking at the same configuration with using a Meraki switch as an internet distribution point BEFORE the MX router (so we can split our internet access between our internal network and an "air gapped" WIFI router... anything that should be watched out for in this configuration?

 

Slobs2 - did you proceed with this? Any tips?

0 Kudos
Jeizzen
Getting noticed
‎Feb 7 2023 5:48 AM
‎Feb 7 2023 5:48 AM

Hi,

 

Same scenario here

 

Is public ip ok to be put on an MS for its management ip ?

 

I'd get the ISP to allow only Meraki cloud communication inbound to the MS management ip

 

 

thanks,

0 Kudos
OVERKILL
Building a reputation
‎Feb 8 2023 8:24 PM
‎Feb 8 2023 8:24 PM

Per your query, yes, the IP should come from behind the MX. 

 

As @DarrenOC noted, a good practice is to have a management VLAN setup. In this case, it doesn't matter that the switch is in front of the MX, you'd carve off one port and put it on (and restrict it to) the management VLAN, connecting it back to your LAN switch so that its communication with the internet/cloud has to pass through the MX and it can grab an IP via DHCP from the management subnet. 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.