Meraki

Community

L3 VLAN Architecture

Solved
The_Roo
Getting noticed
‎Aug 29 2021 5:41 PM
‎Aug 29 2021 5:41 PM

L3 VLAN Architecture

This is a Newbie L3 Switching question: what is the proper way to handle a L3 Meraki switch connection to a F/W (not MX) that is also handling the uplink to the dashboard? I've drawn two options I thought of, maybe there'se a third?

 

Question.jpg

 

There are other switches trunked off the core switch, omitted from the drawings. Any insight from those who have done this before would be great!

0 Kudos
1 Accepted Solution
Bruce
Kind of a big deal
‎Aug 30 2021 1:19 AM
‎Aug 30 2021 1:19 AM

Option 1 every time, or a slight variation on Option 1 where rather than using two physical links between the switch and firewall you use a trunk which carries both VLAN100 and VLAN1 (and I’d make VLAN1 the native VLAN), ensuring there is no Layer 3 interface for VLAN1 on the switch, the only Layer 3 interface for VLAN1 should be on the firewall.

 

The reasoning behind this is so you avoid the caveats listed at the bottom of this article, https://documentation.meraki.com/MS/Layer_3_Switching/MS_Layer_3_Switching_and_Routing.

View solution in original post

5 Replies 5
DarrenOC
Kind of a big deal
Kind of a big deal
‎Aug 30 2021 1:15 AM
‎Aug 30 2021 1:15 AM

We go with option 1. Separate physical link for your switch management traffic with the L3 interface on your firewall.

 

then a routed stub connection between the firewall and core with your internal L3 vlan interfaces on your core.

 

With Option 2 you’ll find that the switches won’t register out to the dashboard. 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Bruce
Kind of a big deal
‎Aug 30 2021 1:19 AM
‎Aug 30 2021 1:19 AM

Option 1 every time, or a slight variation on Option 1 where rather than using two physical links between the switch and firewall you use a trunk which carries both VLAN100 and VLAN1 (and I’d make VLAN1 the native VLAN), ensuring there is no Layer 3 interface for VLAN1 on the switch, the only Layer 3 interface for VLAN1 should be on the firewall.

 

The reasoning behind this is so you avoid the caveats listed at the bottom of this article, https://documentation.meraki.com/MS/Layer_3_Switching/MS_Layer_3_Switching_and_Routing.

In response to Bruce
Jimbo1
Here to help
‎Aug 30 2021 1:41 AM
‎Aug 30 2021 1:41 AM

@Bruceis the reason for your suggestion of a single link (configured as a trunk) rather than a  dual link (one link as transit VLAN, the other as L2 Management) purely down to port economy, or something else?

0 Kudos
In response to Jimbo1
Bruce
Kind of a big deal
‎Aug 30 2021 3:01 AM
‎Aug 30 2021 3:01 AM

@Jimbo1, purely down to port economy, it’s technically pretty much the same. Just depends how many spare ports you have on the firewall and switch.

0 Kudos
In response to Bruce
The_Roo
Getting noticed
‎Aug 30 2021 3:38 AM
‎Aug 30 2021 3:38 AM

Thanks for the info, @Bruce and @DarrenOC I'm good to go!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.