Meraki

Community

Wan Breakout switch advice

Speedbird1
Getting noticed
‎Dec 7 2021 3:12 AM
‎Dec 7 2021 3:12 AM

Wan Breakout switch advice

Hi All, 

 

If your ISP only gives you 1 hand off port ie SFP to serve a HA firewall pair is it bad practice to connect this into a Core switch as a L2 vlan?

 

The core switch MS250 also serves as LAN switch.

 

I have seen this done before and the MS250 has the correct amount of SFP ports i need eg 

 

ISP >> MS250 (L2 VLAN) >> FW1 L2 VLAN  WAN1 >> FW1 L3 VLAN LAN1 >>> MS250 L3 Vlan (LAN) >>>> Clients

ISP >> MS250 (L2 VLAN) >> FW2 L2 VLAN WAN 1 >> FW2 L3 VLAN LAN1 >>> MS250 L3 Vlan (LAN) >>>> Clients

 

Or is it better practice getting a WAN breakout switch to separate everything. 

 

This is purely to save costs rather than having to but an extra pair of switches (MS120)  where most of the ports will be sitting idle.

 

 

Thanks   

 

 

 

0 Kudos
4 Replies 4
KarstenI
Kind of a big deal
Kind of a big deal
‎Dec 7 2021 3:44 AM
‎Dec 7 2021 3:44 AM

Bridging around your firewall is typically a very bad idea. I always use "simple" L2 Switches for the WAN edge like Catalyst 1000 (good luck getting any of these in time) or Cisco Small Business Switches CBS. Some networks even have really cheap Zyxel switches for that.

0 Kudos
In response to KarstenI
Speedbird1
Getting noticed
‎Dec 7 2021 4:47 AM
‎Dec 7 2021 4:47 AM

Thanks, Yeah i understand generally its a bad idea.

 

But if ISP supplies 1 X SMF fibre handoff.  I need 2 SMF fibre to go to each firewall. 

Most small business switches have only 2 SFP ports.

 

Also On some sites we have 10G SFP+ internet handoffs 

 

This is why the MS250 fits the need but not the good practice need. It also means we can monitor the ISP ports through the dash board.

 

I did find these that would be better edge switches for this situation

 

MikroTik CRS305-1G-4S+IN

 

MikroTik CRS309-1G-8S+IN

0 Kudos
In response to Speedbird1
KarstenI
Kind of a big deal
Kind of a big deal
‎Dec 7 2021 5:46 AM
‎Dec 7 2021 5:46 AM

If the line speed is only up to 1 Gig, you only need one SFP on the switch when you use copper to the firewalls. If it is more than a Gig, I would still use a different switch, but with SFP+.

For the visibility, this is something you should monitor with SNMP to get a longer timespan as with that you can better see the trends when you need to upgrade your circuit. And when going with Meraki switches, the WAN-switch should be in a different dashboard network as the system doesn't like it to see traffic twice.

In response to KarstenI
Speedbird1
Getting noticed
‎Dec 7 2021 5:57 AM
‎Dec 7 2021 5:57 AM

Thanks again this helps a lot, A different Switch it is then 

 

But this bit i didn't know or think of 

 

WAN-switch should be in a different dashboard network as the system doesn't like it to see traffic twice.  

 

Makes sense 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.