So have a new internet circuit from Comcast and its delivered via their EDI. So they have a ciena device that does a Layer 2 passthrough copper handoff for CPE. Problem is its only one interface and they give us two subnets a /29 and a /30. From their documentation:
You receive two subnets from Comcast with Comcast Business Ethernet Dedicated Internet (EDI) circuits:
Wide Area Network (WAN) point-to-point connection between your network and Comcast Business
Public LAN (Local Area Network) IP Block
WAN Point-to-Point Connection
In an EDI plan, the WAN subnet is typically in the form of a /30 (255.255.255.252) network since the circuit is a point-to-point connection type.
Note: Comcast’s standard configuration is to use the /30 WAN point-to-point IP block. It is possible to have the WAN subnet in the form of a subnet larger than a /30, however this is an individual case basis that must be approved by Comcast Business.
The WAN point-to-point network provides security against Denial of Service (DOS) spoofing attacks and a clear demarcation point between your routed networks and Comcast Business.
I have a Meraki MS350 that can do layer 3 and an MX100 meraki appliance. Anyone have experience with this that could help me figure out the config?
Solved! Go to Solution.
@leadtheway I would think you simply connect the MX100 WAN1 interface to the EDI handoff as a WAN point-to-point connection, and if it cannot get a DHCP address from Comcast (if hey instead provide you with an IP), then you can connect locally to the management port of the MX and prime it with the static IP and DFGW settings to get it online in Dashboard. For more info on that piece, search the documentation for "local status page" and it's the first result. And your MS350 would just sit behind the MX, I was assuming it's a NAT/Routed mode MX and the MS350 is on the LAN side on one of the local VLANs (configured on the Security Appliance > Addressing and VLANs page for the MX). Sorry if I didn't understand, wasn't sure what you were trying to do, or might have already tried (or not) and if something wasn't working.
Yes indeed. They even give an example in the docs:
Provided IP information to Comcast:
Point-to-Point (P2P WAN Block): 22.214.171.124/30 ( Subnet mask: 255.255.255.252)
Provider (ISP) IP Address: 126.96.36.199
Customer IP Address: 188.8.131.52
Customer Allocated Public IP Block ( LAN Block): 184.108.40.206/24
Usable IPs: 220.127.116.11 – 18.104.22.168
DNS :Primary: 22.214.171.124 / Secondary: 126.96.36.199
So like @MerakiDave said, you assign the 188.8.131.52 Subnet mask: 255.255.255.252 address to the MX (if it doesn't get that from DHCP). Comcast will have a route for the 184.108.40.206 – 220.127.116.11 on their infrastructure so it forwards all traffic for those destinations to your MX @ 18.104.22.168. You can then choose how to do your L3 design.
Doing it that way , how would I get other devices access to the /29 block? I have other routers/firewalls that need ips from that block?
1. One way to do this is like in this guide:
You could also use access ports on the MX directly instead of trunking towards the switch.
But then your other firewalls/routers are behind the MX's security curtain which might not be what you want.
2. Another topology you could make is to use the MS as router. To do that you would create two "interfaces" (which are actually VLANs) in the Switch/Routing & DHCP page. One interface with the /30 and another with the /29 range. On the same page, a bit lower make sure the default route's next hop IP points to the other /30 address (the one the ISP is using).
Then you configure an access port for the VLAN you chose for the /30 and connect that port to the ISP router. And you create a bunch of access ports for the /29 VLAN. You connect those ports to your MX/routers/FW.
This way the security will need to be handled by each device for themselves in the /29 VLAN of course. The only thing you can do in this setup is some ACLs on the switch.
Option 2 is what i was thinking might be the route, so basically create two vlans put one interface in the /30 vlan and plug that into the comcast equipment and on the second vlan for the /29 just connect devices that need an IP from the block to interfaces in that block. The DFGW for the /29 will be the /30 IP address assigned in that /30 vlan?
No, the default gateway for the devices in the /29 network will be the /29 address you assign to the switch (the IP column in the interfaces table in Switch/Routing & DHCP).
This way the messages are sent to the MS. Who then will forward them to the comcast equipment due to the default route you setup (second table on the same page).
Yes indeed, but not the one you assigned to the switch. The one that comcast assigns to its equipment. Otherwise the switch sends the message to himself.
the same DFGW that was assigned to the /30 vlan interface IP
so basically this is what I'm working with
|IP||50.x.x.46||Usable Range||50.x.x.49||MX 100|
|WAN usable ip addresses||used for||50.x.x.53|
Also, will the ports on the firewalls that plug into that /29 vlan on the MS have to be in access mode with those vlans also residing on the MX or whatever other router
The instructions I gave are for using the switch for providing the /29 LAN to other devices.
The MX's WAN interface will be connected to this switch in the /29 subnet, just like the firewall's IP settings example I gave. Its LAN interface would be connected to your access switches.
It's possible to use the same switch for both tasks. But then the setup becomes a little more complicated. Basically then you would define yet another VLAN "Access VLAN" with a private IP range of your choice. And then configure some access ports for it. One of those you connect to on of the MX's LAN interfaces. The default gateway for your clients then becomes the IP you gave the MX in that "Access VLAN" you defined.
Trunk ports are necessary when you want multiple VLANs to cross a single interface. In this design no trunks are absolutely necessary as all ports can be made dedicated for a single VLAN. You'll see that there are two cables running from the MX to the switch. By using a trunk you might be able to limit that to one. But then again the setup becomes more complex and therefore harder to maintain/troubleshoot.
yeah thats my dilemma, I need to use the MS as an access switch as well, and there are a couple different vlans that need to be on it for wireless/lan/printing etc
An update: so configured as discussed and the MX works fine. My problem now is currently the MS350 has a port plugged into a backup internet connection via cable modem we used to get it online (port 48). It gets a private dhcp address from that modem, when we unplug it, it loses connection to dashboard. I'm guessing something else needs to be done to configure a management IP?
ok i changed it back to vlan 1 and plugged into the MX for the time being on a switchport and the default DHCP server on the mx handed out an address. So that works like that.. but moving forward, I would assume that I would change that to a trunk port as I add more vlans on the MX?
Tbh I'd have to test how the management IP exactly needs to be configured, I'm not sure. Have you tried entering 50.x.x.46 as IP and the VLAN ID you used for your /30?
Indeed, if you add more access VLANS it's probably best to set the port used for the connection between the MX's LAN interface and the MS to trunk mode, otherwise you need to sacrifice a port on the MX for each VLAN.
I should be able to add the vlans for the network to the MX and switch that to a trunk and then be able to change the management vlan to the one i create on the MX as well as any other vlans i should be able to have access ports on the MS correct?