Community Record
82
Posts
13
Kudos
2
Solutions
Badges
Sep 21 2023
5:45 AM
I see. didn't take the Azure remote subnet into account. Thanks to you all... I will def look into the vMX.
... View more
Sep 20 2023
1:06 AM
I see.. So Philip, I currently have an Azure VpnGw1 subscription which allows for multiple Tunnels. There are 3 geographical locations with different Static IPs - All of those locations point to one Azure Gateway IP; while the Azure Gateway has created 3 tunnels - one to each location. It's like a Hub and Spoke model with Azure being the Hub. On the local MX side, I am not speaking of pointing the MX to a different Azure Gateway for some sort of gateway failover - I am just setting up another "spoke". It's just another spoke to the Azure central gateway... only difference is it will be on WAN2 of the same local MX. The second circuit will be a totally different ISP with a totally different Static IP block. Should this work?
... View more
Sep 19 2023
7:10 AM
I am certain we are just using the native Gateway connection for Azure. However, would the setup work without the vMX?
... View more
Sep 18 2023
10:16 PM
I have not tried this yet, and I may be overlooking some info in the knowledge base. however, maybe someone can give me a quick answer here. This is how I Imagine setting up the MX: WAN1 - Primary Circuit, Static IP, VPN to Azure WAN2 - Secondary Circuit, Static IP, VPN to Azure On the Azure side, I am certain I just need to configure 2 VPNs - one pointing to the MX Primary Circuit IP; the other pointing to the MX Secondary Circuit IP. On the MX Side, I imagine I will just use the one Azure IP for the VPN connection. If the Primary Circuit fails, shouldn't the Azure side automatically connect to the MX's secondary VPN tunnel? Will this configuration cause any issues where the Azure side send information to the secondary circuit IP? I would think not due to the packets being marked with the initiating / sending IP address, then sending it back to that address.
... View more
Jun 12 2023
8:16 AM
Hi SaheedA, I just saw this today... I don't know how I overlooked something so simple, however, I figured it out a couple of weeks ago. Thank you for responding.
... View more
May 23 2023
7:08 AM
Installed a T-Mobile CradlePoint for Failover Connection on WAN2... Testing it, I was not able to browse / resolve names, but able to ping IPs just fine... I don't think it's an issue on the MX configurations, however, if anyone has encountered this issue when first setting up a cradle point, what were the steps for resolving? I have the MX WAN2 connected to the CradlePoint's Port 1 - its using DHCP to assign an IP... It's giving WAN2 a public IP and using T-Mobile's DNS IPs.
... View more
May 13 2023
4:55 PM
With the 50.x.x.196 /30 IP Block: 50.x.x.197 as gateway and 50.x.x.198 as MX IP, the "VISIBLE" IP will always be the ...198... The 50.x.x.248 /29 Usable IPs will never be visible through the MX85 with this particular IP setup. The only way we can get through is Port Forwarding, which means all the services they now have that point to separate Public IPs will need to point to the one 50.x.x.98 - they don't want that; they want their Usable IPs to be visible... So basically, we will just use the MX85 to replace the ASA 5616 and get a more basic router.
... View more
May 10 2023
8:42 PM
Good Evening... Working on a few hrs of sleep can have you overlooking a lot... After looking over the IPs earlier this morning, I realized that - yes - I am actually using the same IP range (so to speak)... Comcast gave the client a 50.x.x.196 /30 to use - ...197 gateway and ...198 MX IP, and in addition gave the client the usable IPs on 50.x.x.248 /29.. No way we would have ever setup 1:1 NAT with that, especially with the client's IT team wanting to use an ASA behind the MX... I noticed that they opted out of the Advantec router all together for that Comcast rents out, so basically they need a simple router. BTW, the topology is Comcast Gateway > Comcast Ciena > MX85 > ASA 5611 > Servers
... View more
May 9 2023
1:16 PM
Should I have just not configured a lan and left it to the default route 0.0.0.0? That would have allowed for all traffic to flow to any of the public IPs on the other side. Correct?
... View more
May 9 2023
1:12 PM
In response to my last reply: Or should I have not configured a LAN at all?
... View more
May 9 2023
1:09 PM
The Public IP for the MX is in a different Subnet /30... I should have specified that... The IP is 50.x.x.196 /30... So the Public IP for the MX is 50.x.x.198, and the Comcast Gateway is 50.x.x.197... The Usable Static IPs are 50.x.x.248 /29 (6 usable IPs)... I had to initially add the 50.x.x.248/29 in order to assign the gateway (50.x.x.254) for the ASA on the inside, who has the IP of 50.x.x.253.
... View more
May 9 2023
11:20 AM
A better list of the current settings: MX85 WAN 1 Gateway: 50.x.x.x (Comcast Gateway IP) Public: 50.x.x.x (Comcast Assigned Router Public IP) Subnet: 255.255.255.252 (Comcast Assigned Subnet) MX85 VLANS 1 - 50.x.x.x /29, MX IP: 50.x.x.254 (Comcast Assigned IP Block) 2 - 192.x.x.x /24 (Company's Internal IP Block) Note: Uplink Trunk Port to Firewall is set to allow All VLANS MX 85 Forwarding Rules (Just Added) 1:1 NAT to Mail Server Public IP: 50.x.x.x LAN IP: 192.x.x.x Protocol TCP, ICMP ping Ports xx Remote IPs Any 1:1 NAT to "Other" Server (Just Added) Public IP: 50.x.x.x LAN IP: 192.x.x.x Protocol TCP, ICMP ping Ports xx Remote IPs Any MX85 DHCP: NOT CONFIGURED ASA 5516 Public IP: 50.x.x.253 Gateway IP: 50.x.x.254 ++++++
... View more
May 9 2023
11:16 AM
Have a client who wants to continue using their ASA 5516, but purchased a MX85 as their router for their new Comcast Circuit. They have multiple static Public IPs for their on-prem servers. The Gateway and Public IP is set correctly in the MX85 and we got connectivity... I set a Single LAN of their usable Public IP Block 50.x.x.x /29, set the MX IP 50.x.x.254. They assigned their ASA 5516 one of the usable Public IPs 50.x.x.253. We can get traffic from inside the network, however, cannot get to the public IPs from outside the network. It slipped my mind to set the 1:1 NATs, so I had to change the routing configurations for Single VLAN to Multiple VLANs and add their local lan IP block 192.x.x.x /24. Their LAN gateway is 192.x.x.1 - I did not know how it would affect the routing if I added that same gateway IP for the MX IP in the VLAN configurations, so I just added 192.x.x.254… Because they are not using the MX 85 for DHCP, I did not enable it, however, it now allows me to successfully add the 1:1 NATs using the Public and Local IPs for the servers. I have not tested this yet - I won't be working on this until tomorrow. I would like to know if anyone has had this setup before and if so, were you able to setup the configuration so that you could ping directly through to the Public IPs. ++++++ A quick overview of my settings: MX85 WAN 1 Gateway: 50.x.x.x (Comcast Gateway IP) Public: 50.x.x.x (Comcast Assigned Router Public IP) Subnet: 255.255.255.252 (Comcast Assigned Subnet) MX85 VLANS 1 - 50.x.x.x /29, MX IP: 50.x.x.254 (Comcast Assigned IP Block) 2 - 192.x.x.x /24 (Company's Internal IP Block) Note: Uplink Trunk Port to Firewall is set to allow All VLANS MX 85 Forwarding Rules (Just Added) 1:1 NAT to Mail Server Public IP: 50.x.x.x LAN IP: 192.x.x.x Protocol TCP, ICMP ping Ports xx Remote IPs Any 1:1 NAT to "Other" Server (Just Added) Public IP: 50.x.x.x LAN IP: 192.x.x.x Protocol TCP, ICMP ping Ports xx Remote IPs Any MX85 DHCP: NOT CONFIGURED ASA 5516 Public IP: 50.x.x.253 Gateway IP: 50.x.x.254 ++++++ FYI: We are unable to add IP4 inbound firewall rules. The IT Team managing the firewall could not remote in on port 22...We had to create a port forward to the 50.x.x.253 and they had to use the MX85 Public IP to get in, however still cannot ping through to the IP.
... View more
Apr 14 2022
8:53 PM
1 Kudo
Thanks for both of your feedback... given you both gave me the answer I needed, I did an eanie, meanie, miney moe to choose an accepted solution... THANK YOU BOTH!
... View more
Apr 14 2022
8:18 AM
This is similar to a previous post where I have a client that is actually setup with this ISP where they ISP is actually a middle man and not a full-blown ISP: Basically, this is a situation with a switch between the ISP router and client firewall. The ISP has a router on their end with a switch passing traffic to another switch at the client location where the client has a firewall connected to that switch. The ISP is connected to a major ISP (Comcast or Cogent), so the small ISP has the public IP configured on their router with a Private IP for the Client router... This is rendering VPN connectivity unsuccessful, however, I think Port Forwarding may help as one solution. My question is if the small ISP guys obtain a block of multiple public static IPs, can they simply configure the client firewall with one of those IPs - will this work without needing to configure port forwarding?
... View more
Labels:
- Labels:
-
Other
Apr 1 2022
11:04 AM
So, how exactly do you configure a switch port for a WAN port then the others uplinked to the Firewalls when you just have one ISP port and one IP?
... View more
Mar 30 2022
5:40 PM
1 Kudo
I haven't done this before, but I am sure this has been done on several occasions: I have a client that has only 1 IP Address and limited ports to his ISP's modem - they want to setup a redundant Firewall (MX105s)... they want to place a switch in between to make this possible. I don't think this is a good idea due to adding a single point of failure into the WAN setup and I think the cost of using a switch is more than it would to just get another static IP... however... this is what they want... Any Suggestions?
... View more
Jan 7 2022
7:32 AM
2 Kudos
I got word from the low voltage team that they are only setting up 2 IDFs (although there are 3 floors) - Basement and 2nd Floor. This changes my design... I am going to Stack the MS225-48LP switches (1 stack per floor)... I am also installing some MS350-24X for the mGig ports for MR56 WAP uplinks - these will be a separate stack per floor... Since 2 separate switches can be directly connected to the MX with no STP issues, maybe I will go with connecting a core MS350-24X and a core MS225-48LP to the MX... I will test that out first... but overall, I may just go the easier route. Thank you all for your input - you all really helped me out.
... View more
Jan 6 2022
4:33 PM
@KarstenI What the link mentioned is to configure L3 switching on the switches, but I don't think I need to complicate it further if adding a core switch will not affect speed or throughput in anyway. @Tore @KarstenI I reviewed the link: What I got from the it is that even with the switches connected to the firewall independent of each other like a star topology - not mesh - and there are no loops possible, because the switches are on the same broadcast domain, it will still pass BDPUs over the MX uplinks and carry out the STP process between the switches; thus, only one switch can still be the ROOT bridge… In order to determine a root bridge between 3 or more switches, it seems the switches need to be directly uplinked to each other and is able to process BPDUs, correct?? So, as the Meraki link is states, more than 2 switches cannot complete the STP process if they are uplinked to a MX independent of each other; although this will not cause a loop, it can lead to the ports to going into a unknown state due to the inability to determine a root? This could be remedied by disabling STP, but, this cannot be done if redundant links are to be utilized. In conclusion, there is no work-around and going with the “traditional” setup with a core switch is best in this situation.
... View more
Jan 6 2022
8:09 AM
I will be using a MX250 - it has 8 SFP+ (10Gb) ports, which should be enough to connect the other 2 switch stacks with redundant Fiber Uplinks. The first switch stack will only use 2 of those SFP+ ports per firewall. You don't think there would be any difference by using the MDF access switch stack as a Core?
... View more
Jan 6 2022
7:35 AM
@KarstenI @AjitKumar Because there is not enough funds for both an actual aggregation switch for the core, as well as firewall redundancy, I chose firewall redundancy due to this environment's heavy dependency on internet connectivity. The amount of users are actually going to be pretty dense - hundreds of users per day. I was thinking of this design for that reason - with the amount of internet traffic, this design might improve the throughput by eliminating a device. I usually see networks where there is a core switch, but is functioning dually as a core and access switch that also has end devices connected to it... I would think this has an affect on the downstream traffic because its busy switching between both end points and access switches. So, given the nature of this particular network, I would actually be doing the same if I go with the "traditional" design. That said, wouldn't eliminating the core switch and uplinking the access switch stacks directly to the firewall provide a more "sufficient" connection?
... View more
Jan 6 2022
1:57 AM
2 Kudos
I been thinking on an adequate design for a new client... This client will need a very "modern" setup - no servers on premises (VPN to Azure), and heavily reliant on internet connectivity... This is more like a members club with lots of members that will be utilizing Wi-Fi only for internet connectivity. VPN usage to Azure is mainly for Credit Card transactions between the client's Point-of-Sales system and merchant application on Azure, as well as some live streaming between the client location and web server on Azure. I know that in most cases there will be core or collapsed core design that the access level switches are connected to, however, this particular LAN has almost no need for it - almost all traffic is directed to the Web. The Firewall will be handling DHCP and VLAN traffic. I have 3 floors, each floor has an access switch stack (of about 2 switches). I was thinking of instead of using a core switch of any kind (which is also limited by budget), just fiber uplink each switch stack directly to the firewall... any thoughts on that??
... View more
Sorry, I should have included more detail: We will be installing Redundant MX250 Firewalls at the Client location... The circuit will eventually be upgraded to at least 2-3Gbps, hence the MX250's to handle the bandwidth... This news was just sprung on us about how the ISP is setup - we were thinking it would be like the usual setup with the ISP modem on-premise... we cannot place the firewalls in their data center because they do not provide enough fiber pairs for redundant uplinks... So, we are stuck with adding a switch at their data center, and having it pass the traffic to the client location.
... View more
I have a client with a new location opening. They negotiated with an ISP for service without IT involvement... This ISP basically acts as a "hub", requiring the Customer to provide a switch, router, or firewall to go into ISP's data center, which then passes traffic to the customer's location. I cannot put both of our Firewalls there because the ISP only allows 1 fiber pair out - so no way to achieve redundant connection back to the location. Any suggestions for a small switch with SFP+ ports that will pass multi-gigabit traffic?
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 2812 | May 13 2023 4:55 PM | |
| 1237 | Oct 10 2020 9:42 AM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 8974 | |
| 2 | 9213 | |
| 1 | 2256 | |
| 1 | 5841 | |
| 1 | 7260 |
