Watchguard to MX100 Migration

cgibson777
New here

Watchguard to MX100 Migration

I've been sort of stumped with this appliance so far.  I'm going to line out our current environment and then see what you guys think I need to edit for the replacement of the Watchguard.with the MX100.

 

We currently have a full Meraki switch environment with a Watchguard XTM taking care of firewall duties.

 

The full layer 3 switch we call IT Core and have quote a few access switches.  The layout is below:

 

Vlan 1 DataVlan  ~ 192.0.0.0/24

Vlan 4 ArborNet  ~  192.168.1.0/21

Vlan 5 DoorCams  ~ 192.168.20.0/24

Vlan 6 DoorControls ~ 192.168.24.0/21

Vlan 9 VideoWalls ~ 192.168.100.0/24.

Vlan 10 Voice ~ 10.0.0.0/24

 

One not here is that Vlan1 and Vlan4 we use as our primary data vlan.  Inherited a /24 and ran out of room so created the /21 but can't deprecate the /24 yet so for these two subnets they fully communicate with each other.

 

Now currently in the switch (MS 320) is the followig Interfaces and route.  

 

Interfaces ~ 

 

DataVlan Subnet - 192.0.0.0/24   IP - 192.0.0.75  Vlan - 1  No DHCP

ArborNet Subnet -  192.168.0.0/21   IP - 192.168.1.1  Vlan - 4  DHCP Relayed

DoorCam Subnet -  192.168.20.0/24  IP -  192.168.20.1  Vlan -5  No DHCP

DoorControls Subnet -  192.168.24.0/21  IP - 192.168.24.1  Vlan - 6  No DHCP

VidWalls Subnet -  192.168.100.0/24  IP - 192.168.100.1  Vlan - 9 No DHCP

Voice Subnet - 10.0.0.0/24  IP - 10.0.0.1  Vlan - 10  No DHCP

 

Route ~ 

Default route 0.0.0.0/0 Next Hop IP  192.0.0.254

 

Now the Firebox is much different than the MX is.  The Watchguard ports are the interfaces and can be set with hard IPs and what not.  Below is the current config of the Watchguard that we use dual fiber WANs on:

 

Internet external port 0 IP is static from WAN and has our static public IPs 

Port 1 is our trusted network ~ IP is 192.0.0.254

Port 3 is for the door cams ~ IP is 192.168.20.254  The firebox also serves as DHCP for this one

Port 4 is the second wan static from ISP

Port 5 is the door controls ~ IP is 192.168.24.254.  The firebox also serves as DHCP for this one.

 

These are the only interfaces on the Watchguard.  Also the Watchguard has no vlans programmed into it.

 

The Watchguard policies control all traffic flow as well as segmenting the Door vlans.

 

The Watchguard does have the following routes in it:

 

10.0.0.0/24 routes to Gateway 192.0.0.75

192.168.0.0/21 routes to Gateway 192.0.0.75

192.168.70.0/24 routes to Gateway 192.0.0.75

192.168.100.0/24 routes to Gateway 192.0.0.75

 

Ok so that pretty much somes it up.  The static IPs are programmed in the Watchguard and policies dictate traffic from them.

 

So I've tried a few different methods of setting up the MX but can't seem to get things down pat.  What's the best way to integrate this into the network to replace the Watchguard?  Merakis documentation points to a Layer 3 switch topology with Firewall (MX), Distribution Switch (MS320), then downstream Access switches.  That sounds like us perfectly but their documentation has an example of creating a dedicated interface that is given a gateway IP but it must be old as when I create an interface on the MS there's no place for a gateway.  

 

So any recommendations on the best way to do this?  The switch taking care of the Vlan routing/tagging and the firewall just doing internet traffic is perfect, I just can't seem to get it right.

 

Thanks for the help!

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

6 REPLIES 6
AjitKumar
Head in the Cloud

Hi @cgibson777 

"switch taking care of the Vlan routing/tagging and the firewall just doing internet traffic is perfect, I just can't seem to get it right."

If I understand you right.

The requirement is

1. All the VLANs shall reside on the switch

2. MX shall be the gateway for internet access

 

Possible configuration could be

On MX

1. Create a Transit VLAN

Security & SD-WAN > Addressing & VLANs > Routing

Transit VLAN.PNG

 

 

 

2. Create reverse route for VLANS on the switch

Security & SD-WAN > Addressing & VLANs > Static routes

Static Route.PNG

On Switch

1. Create a Transit VLAN

Switch > Routing & DHCP

Switch Transit.PNG

 

2. Create Default Route towards MX

Switch > Routing & DHCP

Switch Default Route.PNG

 

 

 

 

 

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network

Correct, that's the target scenario.  So the MX would have the transit vlan created with a route from mx as well as from the switch.  I'm assuming in my scenario with a current gateway of 192.0.0.254 on the Watchguard that I would need to tag the MX subnet Vlan 1 with an MX IP of 192.0.0.254 correct?

 

Thanks for the help!

Also, using your solution as an example I would tag the uplink port as native vlan 201 on the switch and firewall ports or just vlan 1 native?  and of course all vlans allowed.

Also, I'm assuming in my scenario the only vlan that would reside on the MX would be the Transit Vlan correct?

PhilipDAth
Kind of a big deal
Kind of a big deal

>Vlan 1 DataVlan  ~ 192.0.0.0/24

>Vlan 4 ArborNet  ~  192.168.1.0/21

 

This is not a valid config.  The subnets are overlapping.

 

You can configure VLANs on the MX like you have at the moment and then assign them to ports.

https://documentation.meraki.com/MX/Networks_and_Routing/Configuring_VLANs_on_the_MX_Security_Applia... 

 

So you can make that part work the same if you like.

That was what I was trying to do in the beginning but couldn't seem to get the static routing to work properly between the MX and the MS320.  Create each VLAN on the MX with a corresponding port on the MX, then tagging that port to a corresponding port on the MS.  That's essentially how we have it today with the firewall interfaces on the Watchguard and then it has the static routes back to the layer 3 switch.  Then it just shoots traffic to the trusted interface to the Watchguard.  

 

Here's what I have today on the switch (MS320):

 

cgibson777_0-1581018617305.png

 

Then the firebox has this:

 

cgibson777_1-1581018700857.png

 

With these routes in the Firebox:

 

cgibson777_2-1581018739521.png

 

I did these in the MX as a test.  I figured I could do the 192.0.0.3 as a test and then when cutover happens change it to 192.0.0.254.   Then using a SPF port as an uplink from the switch to the MX with each tagged native VLAN 1 with all vlans.  This kind of matches the Watchguard but the static routes are what's throwing me off.

 

cgibson777_4-1581018994144.png

 

 

cgibson777_5-1581019065694.png

 

I'm not opposed to restructuring just want to get it right from the get go so to speak.

 

Thanks for all the help!

 

 

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels