For the L3 switch setup, instead of assigning an IP on the switch port (which you can't do on Meraki switches), you can use a transit VLAN. Basically select a VLAN that's not in use anywhere else in your network, configure and L3 interface on the switch with that VLAN and the applicable IP, and set the port connecting to the 3rd party as an access port with that VLAN tag. You can then setup ACL's on the Merakis switch as per previous. For the method using the MX, that should also work. You'd probably configure it in routed mode with the LAN port facing the 3rd Party and the WAN port facing your network.
... View more