Hello all, I have a question. I am using an MS220-8 as a distribution switch from my ISP to two MX250's in an HA pair. Should the management IP of this switch come from behind the MX or can a public IP be used instead. Is it secure/safe to do so? Thank you!
Hi @Slobs2 . No need for you to assign a Public IP to your distribution switch. We always create or re-assign a new VLAN purely for Meraki device management.
look at the last paragraph of the below document:
Hi @DarrenOC , I don't think I understand your response. This switch is between the ISP and the MX, so its outside of the LAN. There is no DHCP so a static address would be needed, that would need to be a public address. I'm curious about the security implications of having a switch management IP as a public IP not private.
Bumping this up... we are now looking at the same configuration with using a Meraki switch as an internet distribution point BEFORE the MX router (so we can split our internet access between our internal network and an "air gapped" WIFI router... anything that should be watched out for in this configuration?
Slobs2 - did you proceed with this? Any tips?
Hi,
Same scenario here
Is public ip ok to be put on an MS for its management ip ?
I'd get the ISP to allow only Meraki cloud communication inbound to the MS management ip
thanks,
Per your query, yes, the IP should come from behind the MX.
As @DarrenOC noted, a good practice is to have a management VLAN setup. In this case, it doesn't matter that the switch is in front of the MX, you'd carve off one port and put it on (and restrict it to) the management VLAN, connecting it back to your LAN switch so that its communication with the internet/cloud has to pass through the MX and it can grab an IP via DHCP from the management subnet.