Separate Management VLAN for Internet facing switch.

Solved
MPDsville
Just browsing

Separate Management VLAN for Internet facing switch.

Hello Group,  

  

I have several switches internal to my organization all running their management ip addresses from 'vlan-99'.

I have another switch on the internet/outside of the (MX)firewall. I do not want this switch's management address on the same vlan I use for my inside switches (current working config).

 

I was about to simply whip up another vlan on the MX and plumb it to the external switch for management use when I noticed in the switch settings doc "All switches in a network must use the same management VLAN"

 

Can anyone confirm that statement in the switch doc that invalidates my approach, and what a workaround would be.

  Make a separate "Meraki Network" for my ISP side switch?

 

Thanks

    Mike D

 

 

 

 

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

Cisco Meraki switches do not need to use the same management VLAN.  The only requirement is that the configured management VLAN can get to the Cisco Meraki cloud on the Internet.

View solution in original post

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal

Cisco Meraki switches do not need to use the same management VLAN.  The only requirement is that the configured management VLAN can get to the Cisco Meraki cloud on the Internet.

Adam
Kind of a big deal

The IP information on the switch is really only used to so the device can talk to the cloud.  Just curious what your motivation is in having the switch IP isolated?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
MPDsville
Just browsing

As to why i want the switch isolated:  Two reasons really.

 

 -   This is an ISP facing switch on the 'dirty side' of the firewall.  The other 15 are internal. I'm not %100 comfortable having the management (or any) vlan traverse the firewall. I can ping 'internal' management addresses from my 'ISP switch' and that's enough to make my spider sense tingle a bit.

 

-   I observed the ISP switch win an RSTP election over an internal switch. I know how to manage STP priority and who becomes root.  I cleaned that up pretty quickly but don't want that switch visible to the internal switching environment at all.  Since  the ISP switch only handles internet traffic at layer3, the only way it can participate in the internal spanning tree environment is via the management vlan.

 

So its 1/2 security design best practice and 1/2 RSTP management . In my mind having the 'ISP switch' on a separate management vlan mitigates both concerns for the most part without tweaking rstp priorities & firewall rules .

 

With My Thanks

    Mike D

     

 

 

Chris-12
Conversationalist

Good morning, I have a similar question and was curious what your final configuration looked like. 

 

  • Did you end up taking a link directly off of the Inside interface of your firewall to your WAN MS switch? 
  • Did you create a separate mgmt vlan/network on your firewall, only for this switch? 
  • On the ACL piece, did you only allow access to the internet and block all internal networks? 
  • Is there a way to create an ACL to only allow the switch to talk to Meraki's cloud, if so do you know what those public IP's are?

 

Thanks,

 

 

Chris

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels