Meraki

Community

Meraki Switch Proxy Configuration Options

Network_Guy_
Conversationalist
‎Sep 24 2024 9:50 AM
‎Sep 24 2024 9:50 AM

Meraki Switch Proxy Configuration Options

Good Morning/Afternoon Meraki Community! 

Got some general questions regarding the Meraki Switch. 

I am not super familiar with this ecosystem, so I will field questions as best I can. 

Topology: I have a MS120 that is uplinked to a Z3 with direct internet access. The Z3 is managed by a MX84.

I have configured the Z3 with the appropriate firewall rules to permit the various connections out to the Meraki Cloud to establish connectivity on the MS120 from the dashboard. 

But best practices for my organization are that nothing on our management network can go direct. (Naturally)

As such, I need to proxy the management connection from the MS120, through our Z3 to our Zscaler gateway. The kicker is that all clients in our environment already run a Zscaler client, so I do not want their connections being proxied halfway across the country to this gateway because they are already being proxied. 

Long story short, does Meraki allow this level of granularity in its proxy configuration? I am struggling to find options and or other cases such as this in the dashboard or on the web. (Could be that I don't understand it well enough)

I have tried quite a few things, I can list them if that's beneficial. Appreciate any information/Guidance/Pointers here. 

Labels:
0 Kudos
4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 24 2024 2:20 PM
‎Sep 24 2024 2:20 PM

>I need to proxy the management connection 

 

You used to be able to do this, but the capability has been removed from most products now.

GIdenJoe
Kind of a big deal
Kind of a big deal
‎Sep 25 2024 11:18 AM
‎Sep 25 2024 11:18 AM

I'm having difficulties understanding your setup.
What do you mean with the Z3 is managed by an MX84?  Do you mean it does a full tunnel to the MX84?
Secondly the management of any Meraki switch can be out of band.  So if your user traffic uses a different firewall to reach the internet than the switches, that is no problem.  You can have a VLAN that terminates on a different firewall/router for your Meraki management then the firewall for your user traffic.

What is important however is that the Meraki devices all do a tls connection to dashboard that is not allowed to be decrypted and reencrypted using a different certificate.  We had a customer once with a PA firewall that was doing TLS decryption on port 443.  So when the Meraki AP's updated to the newer version that no longer uses UDP/7351 by default for cloud management but TCP/443 all these AP's lost connectivity to dashboard until we made an exception for those devices and let the connection through unchanged (except for NAT of course).

In response to GIdenJoe
Network_Guy_
Conversationalist
‎Sep 26 2024 1:09 PM
‎Sep 26 2024 1:09 PM

Appreciate the reply! 

I had some misconceptions regarding our use of the MX84 appliance. I did not understand that the MX84 is essentially acting as a VPN Endpoint/Concentrator for all of these Meraki routers to establish VPN tunnels with.

We currently use a split tunnel configuration, and it would seem that the only solution Meraki has is to use a full tunnel which is not what we want to do. 

I think my team just needs to be comfortable with the fact that our traffic is being NATed and connecting to the Meraki Dashboard via a TLS tunnel over 443. 

Meraki support confirmed with me that they do not have the ability to point specific networks to a designated proxy. Which is why the only solution would be a full tunnel configuration if we were truly worried about our management networks going out over the internet. 

I appreciate your input on this. What you are saying definitely reinforces what I have been trying to learn over the last couple days. 

0 Kudos
In response to Network_Guy_
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 26 2024 1:23 PM
‎Sep 26 2024 1:23 PM

Note that Meraki management traffic will NOT flow through a full VPN tunnel.  It always go direct.

 

Also note that the AutoVPN traffic consists of both the tunnel traffic and the orchestration traffic.  The tunnel traffic is IPSEC.  Tunnel orchestration uses UDP/9350-9381.

https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshoo...

"Both Meraki peers must be in communication with the VPN registry in order to get the correct information to form a valid VPN tunnel.  If one Meraki device, such as an MX WAN appliance, is able to reach the VPN registry, but the intended peer WAN Appliance is not, the tunnel will not form.  A common occurrence of this is when an upstream firewall blocks VPN registry communication on UDP port 9350-9381.  This issue is explained in the section VPN Registry Disconnected."

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.