Wan Breakout switch advice

Getting noticed

Wan Breakout switch advice

Hi All, 


If your ISP only gives you 1 hand off port ie SFP to serve a HA firewall pair is it bad practice to connect this into a Core switch as a L2 vlan?


The core switch MS250 also serves as LAN switch.


I have seen this done before and the MS250 has the correct amount of SFP ports i need eg 


ISP >> MS250 (L2 VLAN) >> FW1 L2 VLAN  WAN1 >> FW1 L3 VLAN LAN1 >>> MS250 L3 Vlan (LAN) >>>> Clients

ISP >> MS250 (L2 VLAN) >> FW2 L2 VLAN WAN 1 >> FW2 L3 VLAN LAN1 >>> MS250 L3 Vlan (LAN) >>>> Clients


Or is it better practice getting a WAN breakout switch to separate everything. 


This is purely to save costs rather than having to but an extra pair of switches (MS120)  where most of the ports will be sitting idle.







Kind of a big deal

Bridging around your firewall is typically a very bad idea. I always use "simple" L2 Switches for the WAN edge like Catalyst 1000 (good luck getting any of these in time) or Cisco Small Business Switches CBS. Some networks even have really cheap Zyxel switches for that.

Thanks, Yeah i understand generally its a bad idea.


But if ISP supplies 1 X SMF fibre handoff.  I need 2 SMF fibre to go to each firewall. 

Most small business switches have only 2 SFP ports.


Also On some sites we have 10G SFP+ internet handoffs 


This is why the MS250 fits the need but not the good practice need. It also means we can monitor the ISP ports through the dash board.


I did find these that would be better edge switches for this situation


MikroTik CRS305-1G-4S+IN


MikroTik CRS309-1G-8S+IN

Kind of a big deal

If the line speed is only up to 1 Gig, you only need one SFP on the switch when you use copper to the firewalls. If it is more than a Gig, I would still use a different switch, but with SFP+.

For the visibility, this is something you should monitor with SNMP to get a longer timespan as with that you can better see the trends when you need to upgrade your circuit. And when going with Meraki switches, the WAN-switch should be in a different dashboard network as the system doesn't like it to see traffic twice.

Thanks again this helps a lot, A different Switch it is then 


But this bit i didn't know or think of 


WAN-switch should be in a different dashboard network as the system doesn't like it to see traffic twice.  


Makes sense 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.