I have several switches internal to my organization all running their management ip addresses from 'vlan-99'.
I have another switch on the internet/outside of the (MX)firewall. I do not want this switch's management address on the same vlan I use for my inside switches (current working config).
I was about to simply whip up another vlan on the MX and plumb it to the external switch for management use when I noticed in the switch settings doc "All switches in a network must use the same management VLAN"
Can anyone confirm that statement in the switch doc that invalidates my approach, and what a workaround would be.
Make a separate "Meraki Network" for my ISP side switch?
Solved! Go to Solution.
The IP information on the switch is really only used to so the device can talk to the cloud. Just curious what your motivation is in having the switch IP isolated?
As to why i want the switch isolated: Two reasons really.
- This is an ISP facing switch on the 'dirty side' of the firewall. The other 15 are internal. I'm not %100 comfortable having the management (or any) vlan traverse the firewall. I can ping 'internal' management addresses from my 'ISP switch' and that's enough to make my spider sense tingle a bit.
- I observed the ISP switch win an RSTP election over an internal switch. I know how to manage STP priority and who becomes root. I cleaned that up pretty quickly but don't want that switch visible to the internal switching environment at all. Since the ISP switch only handles internet traffic at layer3, the only way it can participate in the internal spanning tree environment is via the management vlan.
So its 1/2 security design best practice and 1/2 RSTP management . In my mind having the 'ISP switch' on a separate management vlan mitigates both concerns for the most part without tweaking rstp priorities & firewall rules .
With My Thanks
Good morning, I have a similar question and was curious what your final configuration looked like.