Meraki

Speedbird1 · ‎Mar 24 2022

Hi All

Just a question and bit of a dilemma ..

Planning on separating SSID's with VLAN tags on Meraki switches and AP's

Corp vlan

Server Vlan

BYOD vlan

Guest Vlan

Corp and server need to communicate with each other

90% traffic is cloud based 10% to some local servers

BYOD and guest need to be separated

Option1

Place all vlan's on upstream firewalls, Create interfaces, fw rules etc

Option 2

Place Corp and server vlan's on Core switches with SVI's and transit vlan to FW for internet traffic

Place Guest and BYOD vlan's on upstream firewall

Option 3

Place all vlan's on core switch and do a transit /30 Vlan to FW for internet traffic

Firewalls are a fully featured NGFW

I would like to use some of the features like dns server with filtering, AV scanning of traffic etc.

Hope this makes sense, just wanted too see what you guys thought or if there are other options.

Thanks

alemabrahao · ‎Mar 24 2022

Hi,

In my opinion Option 3 is the best 😄

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

KarstenI · ‎Mar 24 2022

I would not use Option 3. Separating the traffic with Switch ACLs could be a pain. And Switch ACLs are not stateful which means you have to control both directions from client and from server.

I typically use Option 2. All VLANs that need complete communication are on the L3 switch, all VLANs that need a strict separation are on the Firewall. But with this you have the overhead to manage some VLANs on the switch and some VLANs on the Firewall.

In your environment I would probably use option 1. With 90% cloud traffic the firewall-throughput is likely high enough to handle the corp to server traffic and you have full control and only one place to configure the rules.

alemabrahao · ‎Mar 24 2022

Well, In option 3 you can have all SVIs on switch core and at de same time control all traffic on Firewall. In my opinion, firewalls don't have to route internal VLANs when we are talking about design.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

KarstenI · ‎Mar 24 2022

If the SVI is on the Switch, then the Firewall doesn't have any control over the inter-VLAN traffic. And at least the Guest traffic has to be separated from the rest of the network.

alemabrahao · ‎Mar 24 2022

Yes, but you can set the firewall as a gateway for guest VLANs, there are many possibilities. You can use VRFs on switch core for example. 🙂

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

KarstenI · ‎Mar 24 2022

That is basically Option 2. And sadly, Meraki Switches do not have VRFs.

alemabrahao · ‎Mar 24 2022

Yes, but he didn't say the switch model, just he needs to isolate inter-Vlan communication. I know that Meraki Switches do not have VRFs.
But to diced what is the best scenario, we need to know the topology, don't you think?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

alemabrahao · ‎Mar 24 2022

The switch core in that case.😅

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

DarrenOC · ‎Mar 24 2022

I'm with @KarstenI and would go with Option 1. Keep the L3 interfaces on your firewall unless your network is going to expand and you introduce more Vlans and L3 interfaces and require inter vlan routing.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

Speedbird1 · ‎Mar 24 2022

Hi All thanks for all the replies and interesting thoughts/comments

For some extra info (didnt have time to draw it out but topology is bascially)

MR56 Access points >>> 6 X Stacked MS225 >>(2 x10g aggregate) >> Stacked MS425-16 (core switch) >> (2 x 10g Aggregate) >> Fortigate F series FW >>> Internet

I have always gone with option 1 where there are no internal services, and i am thinking option1/2 for this one. however this one is the biggest site.

All devices will hang off the MS225's

There will be internal video/audio streaming the rest of the traffic is cloud apps.

Once decided the Vlans wont increase so max < 8 Vlans

My ideal would be to keep the corporate and servers/video internal and everything else on the firewall.

Its just whether i want to have the extra overhead in admin for option 2.

Think i might have answered my own question ...

Meraki

Community

Transit Vlan to FW question

Transit Vlan to FW question