Meraki and Comcast EDI

SOLVED
leadtheway
Building a reputation

Meraki and Comcast EDI

So have a new internet circuit from Comcast and its delivered via their EDI.  So they have a ciena device that does a Layer 2 passthrough copper handoff for CPE.  Problem is its only one interface and they give us two subnets a /29 and a /30.  From their documentation:

You receive two subnets from Comcast with Comcast Business Ethernet Dedicated Internet (EDI) circuits:

Wide Area Network (WAN) point-to-point connection between your network and Comcast Business

Public LAN (Local Area Network) IP Block

WAN Point-to-Point Connection

In an EDI plan, the WAN subnet is typically in the form of a /30 (255.255.255.252) network since the circuit is a point-to-point connection type.

Note: Comcast’s standard configuration is to use the /30 WAN point-to-point IP block. It is possible to have the WAN subnet in the form of a subnet larger than a /30, however this is an individual case basis that must be approved by Comcast Business.

The WAN point-to-point network provides security against Denial of Service (DOS) spoofing attacks and a clear demarcation point between your routed networks and Comcast Business.



I have a Meraki MS350 that can do layer 3 and an MX100 meraki appliance.  Anyone have experience with this that could help me figure out the config?
Thanks!

1 ACCEPTED SOLUTION

comcast_L3_setup.png

One of your firewall's WAN interface could then get the following settings:

IP: 50.x.x.49

Subnet mask: 255.255.255.248

DFGW: 50.0.0.54

View solution in original post

24 REPLIES 24
MerakiDave
Meraki Employee
Meraki Employee

@leadtheway  I would think you simply connect the MX100 WAN1 interface to the EDI handoff as a WAN point-to-point connection, and if it cannot get a DHCP address from Comcast (if hey instead provide you with an IP), then you can connect locally to the management port of the MX and prime it with the static IP and DFGW settings to get it online in Dashboard.  For more info on that piece, search the documentation for "local status page" and it's the first result.  And your MS350 would just sit behind the MX, I was assuming it's a NAT/Routed mode MX and the MS350 is on the LAN side on one of the local VLANs (configured on the Security Appliance > Addressing and VLANs page for the MX).  Sorry if I didn't understand, wasn't sure what you were trying to do, or might have already tried (or not) and if something wasn't working.  

Yes indeed. They even give an example in the docs:

https://business.comcast.com/help-and-support/ethernet/comcast-business-ethernet-equipment-configura...

 

Provided IP information to Comcast:

  • Point-to-Point (P2P WAN Block): 107.0.74.0/30 ( Subnet mask: 255.255.255.252)

  • Provider (ISP) IP Address: 107.0.74.1

  • Customer IP Address: 107.0.74.2

  • Customer Allocated Public IP Block ( LAN Block): 24.102.88.0/24

  • Usable IPs: 24.102.88.1 – 24.102.88.254

  • DNS :Primary: 75.75.75.75 / Secondary: 75.75.76.76

 

So like @MerakiDave said, you assign the 107.0.74.2 Subnet mask: 255.255.255.252 address to the MX (if it doesn't get that from DHCP). Comcast will have a route for the 24.102.88.1 – 24.102.88.254 on their infrastructure so it forwards all traffic for those destinations to your MX @ 107.0.74.2. You can then choose how to do your L3 design.

leadtheway
Building a reputation

Doing it that way , how would I get other devices access to the /29 block? I have other routers/firewalls that need ips from that block?

1. One way to do this is like in this guide:

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Creating_a_DMZ_with_the_MX_Security...

 

You could also use access ports on the MX directly instead of trunking towards the switch.

 

But then your other firewalls/routers are behind the MX's security curtain which might not be what you want.

 

2. Another topology you could make is to use the MS as router. To do that you would create two "interfaces" (which are actually VLANs) in the Switch/Routing & DHCP page. One interface with the /30 and another with the /29 range. On the same page, a bit lower make sure the default route's next hop IP points to the other /30 address (the one the ISP is using).

 

Then you configure an access port for the VLAN you chose for the /30 and connect that port to the ISP router. And you create a bunch of access ports for the /29 VLAN. You connect those ports to your MX/routers/FW.

 

This way the security will need to be handled by each device for themselves in the /29 VLAN of course. The only thing you can do in this setup is some ACLs on the switch.

leadtheway
Building a reputation

Option 2 is what i was thinking might be the route, so basically create two vlans put one interface in the /30 vlan and plug that into the comcast equipment and on the second vlan for the  /29 just connect devices that need an IP from the block to interfaces in that block.  The DFGW for the /29 will be the /30 IP address assigned in that /30 vlan?

No, the default gateway for the devices in the /29 network will be the /29 address you assign to the switch (the IP column in the interfaces table in Switch/Routing & DHCP).

 

This way the messages are sent to the MS. Who then will forward them to the comcast equipment due to the default route you setup (second table on the same page).

leadtheway
Building a reputation

So the default route on the MS will be a 0.0.0.0 pointing to the ip of the /30 vlan?

Yes indeed, but not the one you assigned to the switch. The one that comcast assigns to its equipment. Otherwise the switch sends the message to himself.

leadtheway
Building a reputation

the same DFGW that was assigned to the /30 vlan interface IP

 

so basically this is what I'm working with

 

Wan/30    Lan/29 Device
IP50.x.x.46   Usable Range50.x.x.49MX 100
Subnet255.255.255.252   50.x.x.50 
GW50.x.x.45    50.x.x.51 
      50.x.x.52 
WAN usable ip addressesused for   50.x.x.53 
WAN50.x.x.46MS350   50.x.x.54 
WAN50.x.x.47   Subnet255.255.255.248
     GW50.x.x.45 

comcast_L3_setup.png

One of your firewall's WAN interface could then get the following settings:

IP: 50.x.x.49

Subnet mask: 255.255.255.248

DFGW: 50.0.0.54

leadtheway
Building a reputation

Perfect. thats really easy to understand.  Just curious, I can still use the MX100 for the gateway for our internal vlans right?  

leadtheway
Building a reputation

Also, will the ports on the firewalls that plug into that /29 vlan on the MS have to be in access mode with those vlans also residing on the MX or whatever other router

The instructions I gave are for using the switch for providing the /29 LAN to other devices.

 

The MX's WAN interface will be connected to this switch in the /29 subnet, just like the firewall's IP settings example I gave. Its LAN interface would be connected to your access switches.

 

It's possible to use the same switch for both tasks. But then the setup becomes a little more complicated. Basically then you would define yet another VLAN "Access VLAN" with a private IP range of your choice. And then configure some access ports for it. One of those you connect to on of the MX's LAN interfaces. The default gateway for your clients then becomes the IP you gave the MX in that "Access VLAN" you defined.

 

Trunk ports are necessary when you want multiple VLANs to cross a single interface. In this design no trunks are absolutely necessary as all ports can be made dedicated for a single VLAN. You'll see that there are two cables running from the MX to the switch. By using a trunk you might be able to limit that to one. But then again the setup becomes more complex and therefore harder to maintain/troubleshoot.

leadtheway
Building a reputation

yeah thats my dilemma,  I need to use the MS as an access switch as well, and there are a couple different vlans that need to be on it for wireless/lan/printing etc

leadtheway
Building a reputation

An update:  so configured as discussed and the MX works fine.  My problem now is currently the MS350 has a port plugged into a backup internet connection via cable modem we used to get it online (port 48). It gets a private dhcp address from that modem, when we unplug it, it loses connection to dashboard.  I'm guessing something else needs to be done to configure a management IP?

Try setting the management VLAN to be the /30 VLAN because that's the VLAN the switch will reach the Meraki cloud on.

leadtheway
Building a reputation

no address needed?  is Lan IP needed?

leadtheway
Building a reputation

when i set vlan to /30 i get 

This device is using a DHCP IP address from VLAN 1 instead of using configured VLAN 999.

leadtheway
Building a reputation

ok i changed it back to vlan 1 and plugged into the MX for the time being on a switchport and the default DHCP server on the mx handed out an address.  So that works like that.. but moving forward, I would assume that I would change that to a trunk port as I add more vlans on the MX?

Tbh I'd have to test how the management IP exactly needs to be configured, I'm not sure. Have you tried entering 50.x.x.46 as IP and the VLAN ID you used for your /30?

 

Indeed, if you add more access VLANS it's probably best to set the port used for the connection between the MX's LAN interface and the MS to trunk mode, otherwise you need to sacrifice a port on the MX for each VLAN.

leadtheway
Building a reputation

I should be able to add the vlans for the network to the MX and switch that to a trunk and then be able to change the management vlan to the one i create on the MX as well as any other vlans i should be able to have access ports on the MS correct?

Just ask Comcast for a /29 WAN range. Inform them, if accurate, that you will/might be setting up an HA firewall and need 2-3 public IP addresses. It's also handy to have at least a /29 for testing and firewall migrations.

Sorry to drag up an old post, but I'm having the same issue with ATT and a single handoff but a HA pair of MX105.  Since they're HA, is the only solution a layer 3 switch in front of the MX pair?  This was my first inclination, and I tried first with a MS120 and now a MS220 but still struggling.  

CSSAC
Just browsing

Swapped out the MS220 for a MS350 and it works kinda sorta.  MXA is up with the assigned address in the /29 but MXB says "not connected" even though I can see pings to it's assigned WAN interface on the pcap - it just doesn't respond.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels