Meraki

Community

Can I connect Meraki AP to Cisco FTP firewall 1010

Solved
HaniAbuelkhair
Getting noticed
‎Dec 18 2020 5:35 AM
‎Dec 18 2020 5:35 AM

Can I connect Meraki AP to Cisco FTP firewall 1010

HI,

 

I have 6 Meraki AP's connect to a Meraki MX67, but we have to change the MX67 and replace it with Cisco FTP firewall 1010 for some reasons.

My question is can we connect Meraki AP to Cisco FTP firewall 1010. If yes can you please share some ideas how ?

0 Kudos
1 Accepted Solution
In response to HaniAbuelkhair
KarstenI
Kind of a big deal
Kind of a big deal
‎Dec 18 2020 9:02 AM
‎Dec 18 2020 9:02 AM

The Firepower 1010 only has two PoE-Ports. So all APs are connected to a switch. The VLANs for the Wireless users are configured on the Firepower for everything that is Guest and IoT as I want a strict access-control and the internal Users VLAN is configured on the switch. The connection between switch and Firewall is a Trunk in this case.

DHCP is always running on the device that holds the VLAN, but it could also be done on the internal DHCP-server.

Configuring the FTD will be a little bit more challenging, that device is not as easy to configure as the Meraki MX.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

12 Replies 12
ww
Kind of a big deal
Kind of a big deal
‎Dec 18 2020 5:58 AM
‎Dec 18 2020 5:58 AM

Mx as wireless concentrator? Or are  AP's using local breakout/bridge mode?

0 Kudos
In response to ww
HaniAbuelkhair
Getting noticed
‎Dec 18 2020 6:51 AM
‎Dec 18 2020 6:51 AM

Yes its AP's using local breakout/bridge mode

I have 6 MR33 AP's now connected to MX64, and for some reason we need to replace the Mx64 with Cisco FTP, or Fortigate.

 

0 Kudos
In response to HaniAbuelkhair
KarstenI
Kind of a big deal
Kind of a big deal
‎Dec 18 2020 8:10 AM
‎Dec 18 2020 8:10 AM

The APs are completely independent of your firewall as long as they can reach the Meraki cloud. And the FTD 1010 for sure works with these APs. In my office I also have a 1010 combined with my Meraki AP.

One drawback is that you will not have the complete visibility from client to internet as you can have it with the Meraki FullStack.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
HaniAbuelkhair
Getting noticed
‎Dec 18 2020 8:18 AM
‎Dec 18 2020 8:18 AM

Thanks @KarstenI for the update 

And i agree with you we will lose the Complete visibility from client to internet 

Do you connect the Meraki AP directly to the FTP 1010 or to a switch ?

So you just created VLAN on the FTP1010 and configure the port to be Truck in order to pass all the Meraki VLANs (staff, and the Guest) ?

And then DHCP for the client 

 

Any specific tips for the config or its straightforward as i never did a config for FTP devises 

0 Kudos
In response to HaniAbuelkhair
KarstenI
Kind of a big deal
Kind of a big deal
‎Dec 18 2020 9:02 AM
‎Dec 18 2020 9:02 AM

The Firepower 1010 only has two PoE-Ports. So all APs are connected to a switch. The VLANs for the Wireless users are configured on the Firepower for everything that is Guest and IoT as I want a strict access-control and the internal Users VLAN is configured on the switch. The connection between switch and Firewall is a Trunk in this case.

DHCP is always running on the device that holds the VLAN, but it could also be done on the internal DHCP-server.

Configuring the FTD will be a little bit more challenging, that device is not as easy to configure as the Meraki MX.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
HaniAbuelkhair
Getting noticed
‎Dec 18 2020 12:35 PM
‎Dec 18 2020 12:35 PM

@KarstenI Thanks a lot this is very helpful 

0 Kudos
In response to HaniAbuelkhair
HaniAbuelkhair
Getting noticed
‎Jan 13 2021 5:44 AM
‎Jan 13 2021 5:44 AM

@KarstenI 

I have the FP1010 now with me 

The existing setup is

Meraki MX64 connected to 3 switches SG350MP, and I have 6 Meraki MR33 connected to the switches and getting the VLAN’s, and DHCP from the Meraki MX64

 

I need to remove the MX64 and replace it with FP1010

But in FP1010 I can configure Bridge group to connect the 3 switches with same subnet but can’t create VLAN’s on bridge group to support the Meraki AP VLANS, VLAN can be created as subinterface on an interface !

 

 

And how to configure the FP1010 as truck ?

 

Thanks in advance

 

port config.PNG

0 Kudos
In response to HaniAbuelkhair
KarstenI
Kind of a big deal
Kind of a big deal
‎Jan 13 2021 5:49 AM
‎Jan 13 2021 5:49 AM

In this setup, the FP1010-interfaces are configured as Switchports and you configure VLAN interfaces that you can map to these switchports as either Access or trunk. It is pretty much identical as it was done on the MX64. Just do not use Bridge-Groups on the FP1010.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
HaniAbuelkhair
Getting noticed
‎Jan 13 2021 7:53 AM
‎Jan 13 2021 7:53 AM

port config.PNG

 

I am not sure if i get you correctly above is my interfaces 

I am using Ethernet 1/1, and Ethernet 1/2 as WAN interface 

And rest of the ports i need to use them to connect my 3 switches as a stunk on  VLAN 1 and create DHCP for all the uses, and allow other VLANs and then connect my Meraki MR33 to the switches for the staff SSID will get the VLAN DHCP and Guest ssid will use another VLAN 10 with its own DHCP from the FP 1010 similar to the Meraki 

 

If i removed the bridge then i need to configure the same VLAN's on all the ports which is not possible 

So how can add the all Ethernet ports on one group and start assign VLANs on them simialr to the Mx74   

Sorry but this is my 1st experience with FP if you can help will be really appreciated

0 Kudos
In response to HaniAbuelkhair
KarstenI
Kind of a big deal
Kind of a big deal
‎Jan 13 2021 10:12 AM
‎Jan 13 2021 10:12 AM

Are you running an old Firepower version? Switchports were introduced in 6.5 and 6.6.1 is the recommended version.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
HaniAbuelkhair
Getting noticed
‎Jan 14 2021 6:33 AM
‎Jan 14 2021 6:33 AM

@KarstenI Thank you very much again 

Yes after upgrading my FP1010 i can see the switch port now so i have 2 smart switches connected to port 2 on the FP1010 and each one will be configured with switch port, with the native VLAN, and allowed VLAN 

Native VLAn 1

Guest wifi VLAN 10 (used by the meraki AP)

 

And then connect the switches to these ports, and connect the Meraki Ap's to the switches with trink port as well and VLANs will work i assumed 

0 Kudos
In response to HaniAbuelkhair
KarstenI
Kind of a big deal
Kind of a big deal
‎Jan 14 2021 7:20 AM
‎Jan 14 2021 7:20 AM

That's the way it should work. And if not, you know where to get help ... 😉

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.