MS250-24 Edge switch as a Level3 gateway edge for two vLans

ospsms
Here to help

MS250-24 Edge switch as a Level3 gateway edge for two vLans

I have a Meraki MS250-24 Edge switch that I want to configure as the Gateway for 2 vlans...

 

Enable Layer 3 routing

 

Port 1 of the MS250-24 will be the Uplink trunk port for both Vlans to the ISP Router (10.1.1.2) & (10.2.1.2) with Cloud Firewall Services, plus Static Routes for a MPLS Point to Point to another site for Vlan1 Data & Vlan2 VOIP Traffic...

 

Interface for Vlan1 as the gateway interface for the Class C subnet 10.1.1.0/24 Gateway 10.1.1.1 (Data)

Interface for Vlan2 as the gateway interface for the Class C subnet 10.2.1.0/24 Gateway 10.2.1.1 (VOIP)

 

Ports 2-27 will be trunk ports All vlans

Port 28 will be the downstream to the rest of the Van's trunk subnet's switches

 

Does this configuration look correct?

It will be a Meraki MS250-24 duplicate edge switch on the other point to point site.

 

The concept is to replace the legacy Juniper on-prem Firewall/Layer 3 router/Gateway edge device with just the Meraki MS250-24 Layer 3 switch edge/gateway with uplink to an IPS managed router to Cloud Firewall Services & MPLS Site to Site VPN traffic. 

 

Static route to other site might be on this switch or on the ISP router.

Site A Data Vlan1 10.1.1.0/24 to Site B Data Vlan1 10.1.0.0/24

Site A Voip Vlan2 10.2.1.0/24 to Site B Voip Vlan2 10.2.0.0/24

 

 

 

7 REPLIES 7
bmarms
Getting noticed

if the meraki switch is acting as the gateway for your internal vlans, why are you trunking to the ISP router?

 

if the meraki is going to handle all your inter-vlan routing, you could use another transit subnet between the switch and the ISP router.  the meraki would have a default route to the isp router ip on this subnet and the isp router would have a route to the subnets on the meraki switch.  

 

theres no need to trunk your layer 2 vlans up to the ISP router

I went in that direction ...

 

Enable Layer 3 routing

 

Site A

Port 1 of the MS250-24 will be the Uplink trunk port Interface (10.22.220.1) for both Vlans to the ISP Router (10.22.220.2) with Cloud Firewall Services, plus Static Routes for a MPLS Point to Point to another site for Vlan1 Data & Vlan2 VOIP Traffic...

 

Site B

Port 1 of the MS250-24 will be the Uplink trunk port Interface (10.22.22.1) for both Vlans to the ISP Router (10.22.22.2) with Cloud Firewall Services, plus Static Routes for a MPLS Point to Point to another site for Vlan1 Data & Vlan2 VOIP Traffic...

 

 

Site A

Interface for Vlan1 as the gateway interface for the Class C subnet 10.1.0.0/24 Gateway 10.1.0.1 (Data)

Interface for Vlan2 as the gateway interface for the Class C subnet 10.2.0.0/24 Gateway 10.2.0.1 (VOIP)

Interface for Backup Cloud Meraki Management 10.3.0.0/24 to Backup Uplink ISP

 

Ports 2-27 will be trunk ports All vlans

Port 28 will be the downstream to the rest of the Van's trunk subnet's switches

 

It will be a Meraki MS250-24 duplicate edge switch on the other point to point site.

 

Site B

Interface for Vlan1 as the gateway interface for the Class C subnet 10.1.1.0/24 Gateway 10.1.1.1 (Data)

Interface for Vlan2 as the gateway interface for the Class C subnet 10.2.1.0/24 Gateway 10.2.1.1 (VOIP)

Interface for Backup Cloud for Meraki Management 10.3.1.0/24 to Backup Uplink ISP

 

The concept is to replace the legacy Juniper on-prem Firewall/Layer 3 router/Gateway edge device with just the Meraki MS250-24 Layer 3 switch edge/gateway with uplink to an IPS managed router to Cloud Firewall Services & MPLS Site to Site VPN traffic.

 

Static route to other site might be on this switch or on the ISP router.

Site A Data Vlan1& Vlan2 Site A uplink Interface 10.22.220.1

Site B Data Vlan1& Vlan2 Site B uplink Interface 10.22.22.1

 

The IPS AVPN MPLS route between sites will be Site A (10.22.220.2) to Site B (10.22.22.2)

 

bmarms
Getting noticed

sounds over engineered but i'd need to see your overall topology to confirm

Sites WAN.jpg

 

bmarms
Getting noticed

FWIW, i would've done things a bit differently to simplify

 

1. i wouldve used the second octet in my ip address scheme as a site identifier vs. the third.  makes route summarization easier.  in other words, site A ip subnets would all fall under a 10.1.0.0/16 CIDR and site B under 10.2.0.0/16. you could then use 10.x.1.0/24 for data, 10.x.2.0/24 for voice, etc.  x being your site identifier in the second octet.  

2. the only trunk ports you need are to anything downstream or upstream that needs to be aware of your vlan tags.  in your case, it looks like just downstream switches at both sites?

3. assuming your default route on the meraki switches all has a next hop of your router ip addresses? 10.22.22.2 and 10.22.220.2?  from my point in number 1, this would make the route on those routers simpler as they could be summarized simply as route 10.x.0.0/16 to the next hop ip of your meraki switch.  in your case, you cannot summarize on the routers and, if you add new networks, now need to get those additional network routes added to them for each site.  a simple /16 summary covers you from that perspective.

4. with regards to number 3, i'm unclear as to how the backup link would be used?  you'd need a routing protocol setup to have muliple paths.  meraki only supports ospf on the MS switches.

cmr
Kind of a big deal
Kind of a big deal

@bmarms Absolutely agree on point 1, we do it!

For a small size company WAN topography with just a few sites only needing class C subnets to cover the end node capacity per site, like my situation, I Love the site specific 2nd octet /16 LAN sub-net concept. Wish I would have done that many years ago when we put in VOIP... Too bad now, I would have to redo my subnets, A lot of extra work...

 

Makes a lot of sense if one wants to break up broadcast domains via adding more vlans... i.e. back office Servers vlan, workstations vlan, VOIP vlan, IOT vlan, wireless mash vlan, segmented fiber linked vlans between out-buildings... I may plan this concept for the next network re-organization project ...

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels