This is a Newbie L3 Switching question: what is the proper way to handle a L3 Meraki switch connection to a F/W (not MX) that is also handling the uplink to the dashboard? I've drawn two options I thought of, maybe there'se a third?
There are other switches trunked off the core switch, omitted from the drawings. Any insight from those who have done this before would be great!
Solved! Go to solution.
Option 1 every time, or a slight variation on Option 1 where rather than using two physical links between the switch and firewall you use a trunk which carries both VLAN100 and VLAN1 (and I’d make VLAN1 the native VLAN), ensuring there is no Layer 3 interface for VLAN1 on the switch, the only Layer 3 interface for VLAN1 should be on the firewall.
The reasoning behind this is so you avoid the caveats listed at the bottom of this article, https://documentation.meraki.com/MS/Layer_3_Switching/MS_Layer_3_Switching_and_Routing.
We go with option 1. Separate physical link for your switch management traffic with the L3 interface on your firewall.
then a routed stub connection between the firewall and core with your internal L3 vlan interfaces on your core.
With Option 2 you’ll find that the switches won’t register out to the dashboard.
Option 1 every time, or a slight variation on Option 1 where rather than using two physical links between the switch and firewall you use a trunk which carries both VLAN100 and VLAN1 (and I’d make VLAN1 the native VLAN), ensuring there is no Layer 3 interface for VLAN1 on the switch, the only Layer 3 interface for VLAN1 should be on the firewall.
The reasoning behind this is so you avoid the caveats listed at the bottom of this article, https://documentation.meraki.com/MS/Layer_3_Switching/MS_Layer_3_Switching_and_Routing.
@Bruceis the reason for your suggestion of a single link (configured as a trunk) rather than a dual link (one link as transit VLAN, the other as L2 Management) purely down to port economy, or something else?
@Jimbo1, purely down to port economy, it’s technically pretty much the same. Just depends how many spare ports you have on the firewall and switch.