Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Switches between MX WAN and ISP router

Dunky
A model citizen
‎Aug 6 2021 8:54 AM
‎Aug 6 2021 8:54 AM

Switches between MX WAN and ISP router

Looking for some design advice...

 

I have 2 MX's in HA mode and two ISP's

Each ISP only provided one physical port.

I therefore need to put 2 switches between the MX and the ISP router as below:

Dunky_0-1628264540665.png

WAN1 on each MX has a public IP from ISP1, WAN2 on each MX has a public IP from ISP2.

I also have a public IP from each ISP for the VIP.

 

If I were to use Meraki, how would I configure these so they are accessible via the dashboard (IP addressing, do I need to link them, what would the gateway be etc etc)?

Would the following work...

Connect them to the MS switch on the LAN side of the MX and make that an access port in the network mgmnt VLAN - would that make them accessible via the dashboad as shown below:

Dunky_1-1628265090353.png

or is there a better way?

 

Or am I better off just using 2 unmanaged switches, and if so can anyone recommend a 8port model, ideally Cisco. The intention would be to have to plug into these direct in order to configure.

 

Preference is to stay with Meraki if Option 2 above will work.

 

TIA

Steve

 

0 Kudos
Subscribe
7 Replies 7
cmr
Kind of a big deal
Kind of a big deal
‎Aug 6 2021 9:43 AM
‎Aug 6 2021 9:43 AM

@Dunky I think your option 2 will work, remember to put the MX to ISP connections in their own VLAN without an interface.

 

We use Cisco Small Business SG110D-05 switches in that role, cheap as chips and in over 2 years we've never had one cause a problem.

Subscribe
In response to cmr
Bruce
Kind of a big deal
‎Aug 6 2021 3:07 PM
‎Aug 6 2021 3:07 PM

@Dunky, just like @cmr said that should work. The other thing I’d probably do if you use Meraki switches is put the two ‘outside’ switches in their own network in the Meraki Dashboard. It’s just a cosmetic thing so that the applications and clients reported on the ‘inside’ network make sense.

Subscribe
DarrenOC
Kind of a big deal
Kind of a big deal
‎Aug 7 2021 12:51 AM
‎Aug 7 2021 12:51 AM

Hi @Dunky , go with Option 2. It definitely works as we’ve done this a number of times across various customers. As you state, place one port in your mgnt vlan and connect that into your LAN so you can manage the devices.

 

If cost is an issue then a simple unmanaged device will work as @cmr states.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Subscribe
KarstenI
Kind of a big deal
Kind of a big deal
‎Aug 7 2021 1:38 AM
‎Aug 7 2021 1:38 AM

I can only partially agree with the others and would do a couple of changes:

  1. Have one VLAN per ISP and build a trunk between the switches so that each MX can use both ISPs through both switches. In case of e dead switch you can simply move the other ISP to the remaining switch and can use both ISPs again while waiting for the switch to be exchanged. But this is a minor thing.
  2. Never ever build a shortcut around the firewall. Better put the switch-management in a dedicated VLAN on a firewall-interface.
Subscribe
In response to KarstenI
cmr
Kind of a big deal
Kind of a big deal
‎Aug 8 2021 1:27 AM
‎Aug 8 2021 1:27 AM

@Dunky to add to option 2 of using Meraki switches, you might want to put them in two separate networks that are not the main site network.  This would ensure that when you upgrade them, they don't both reboot at once...

 

You don't need to do this, as when you schedule a switch firmware upgrade, you can now go back in and change the times for individual switches, but you might forget on one occasion!

 

If I were going to follow that route I'd have one network for all the switches connected to provider A at all sites, and another for all switches connected to provider B.  That way you'll also get some overall provider reporting 😇

 

Subscribe
Dunky
A model citizen
‎Aug 9 2021 12:54 AM
‎Aug 9 2021 12:54 AM

Big thanks to all that contributed, plenty of good ideas and pointers.
Based on the feedback I have decided to connect each switch direct to the MX rather than the internal switches and each ISP in a separate VLAN (I had intended to do this but hadn't shown it on the diagram).
Its not a 24x7 site, so the switches will sit in the same network - I can accept an outage when we upgrade the switches.
Will also put an LACP between the 2 switches and trunk the mgmnt VLAN to ensure both are visible in the event of an MX outage.
 
Thanks again to all that contributed.

 

0 Kudos
Subscribe
In response to Dunky
Dunky
A model citizen
‎Aug 13 2021 3:21 AM
‎Aug 13 2021 3:21 AM

Final query on this...

I will need to setup a site-site VPN (Non-Meraki Peer - Azure) this HA site.

With a single MX I would normally set the remote IP in Azure as the MX DDNS name.

How would I configure the Azure end to re-establish the VPN to the standby MX at site - or is that just not possible?

 

 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.