Separate VLAN for WAN link

wm4096
Conversationalist

Separate VLAN for WAN link

While I know the concepts of VLANs and the theory behind them, I'm having trouble converting that into a  real-world setup and wanted to see if someone could help get me started in the right direction.

 

What I want to do is use my Meraki MS220 in the following configuration:

 

Port 1: Link to cable modem

Port 2: Link to firewall (non-Meraki) WAN interface

Port 3: Link to firewall LAN interface

Port 4-8: LAN devices

 

I am confused on how to set the type (Access/Trunk) on the ports as well as the Native VLANs and Allowed VLANs to accomplish this.  I'm wanting to get the WAN interface flowing through the switch to utilize Meraki's traffic graphs as they are much better than the graphs provided by my firewall.  

 

Any guidance on this would be highly appreciated! 

5 REPLIES 5
PhilipDAth
Kind of a big deal
Kind of a big deal

You'll need two VLANs.

 

You already have 1 by default, so I would use that as the inside interface.  Place ports 3 through 8 into this vlan.  Make them access ports.

 

Put ports 1 and 2 into VLAN2 and make them access ports.

wm4096
Conversationalist

Hey PhilipDAth,

 

Thank you for the response.  When I configure the ports as you mentioned, I don't get any WAN connectivity.  I can talk to the LAN address of the firewall.  But the WAN port of the firewall does not pull the DHCP address on the public interface.  I tried with and without setting the VLAN on the WAN interface of the firewall itself with no success.  This was the behavior I kept running into before posting, so I thought I was doing something wrong.  Any ideas?


Thanks again!

PhilipDAth
Kind of a big deal
Kind of a big deal

Configure up all the ports in the switch first.  Then plug in the LAN side of the firewall to the switch, and leave the cable modem plugged into the WAN port of the switch.

 

Once everything is working and the switch has a "white" light on it, and the dahsboard says it has the config applied, plug the firewall and cable modem into ports 1 and 2.

 

 

I am assuming your firewall WAN interface has no VLAN tagged configured on it, and is using simple DHCP.

wm4096
Conversationalist

Hey @PhilipDAth ,

 

That's the process I used.  Here's specifically what I did:

 

  1. Existing setup has Port 8 on the switch plugged into the LAN port of the firewall.  Firewall WAN direct to cable modem.
  2. Configured port 1/2 as "access" mode with unused VLAN (i.e., 20).  At this point I had connectivity (pings) to the LAN IP of the firewall and to an external address (8.8.8.8).
  3. Moved cable from cable modem to port 1, cable from firewall WAN to port 2
  4. At this point, the pings to the LAN address remain constant, but external pings cease.  Upon looking at the firewall's status, it does not gain a public IP address from the ISP.  

You are correct that the WAN interface has no VLAN configuration and the connection to the ISP is a simple DHCP connection.

wm4096
Conversationalist

Update.... did some more playing around just for confirmation and I had an old unmanaged switch laying around put it in place between the cable modem and the firewall (WAN), and it works fine. So, it seems that the ISP isn't doing some sort of weird voodoo that's keeping the config from working, so it must be something with how I'm configuring it.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels